Security Lab

Time for a quick follow-up to the recent post on Android malware, as I came across an updated example of both similar and different bait a couple of weeks ago, that is being used in on-going attacks...

In our Java-JAR logs was an interesting .APK file that looked worth a little investigation. Here's how the attack was structured:

• Pages on several sites, most notably a Russian porn site, were injected with a Javascript link to a shady site: autho-tds.be
• That site returned a single line of Javascript, which redirected the browser to another site, opera-mini.be, which looked like this:

• I found copies of the same page on several other sites: club-operamini.ru, ultramobi.ru, javazoom.ru, operaru.net ...
• Also noteworthy is another branch of the same network, which was using porn pictures to link to .APK files representing themselves as porn videos. (Showing that the Bad Guys tend to stick to tried-and-true bait, even as the platforms change.)
• I collected three different samples of the .APK files. All were different sizes, and all were new to Virustotal when I checked. (Indicating a random element to make detection more difficult.)
• All three samples were detected by just 2 of the 43 engines on VT -- similar to the early recognition rates for the payload in the earlier blog post.

One humorous bit of irony was found in one of the reasons listed for "upgrading" to the fake Opera app: "Due to our own compression system you save traffic and money!" (I somehow doubt that a victim would end up saving money with this, as typical android malware is designed to generate income for the Bad Guys via premium-service SMS and the like...)

--C.L.