ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev

Fake antivirus for mobile platform spotted

By | April 27, 2011, 8:51am PDT

Summary: Security researchers from CA have spotted a bogus mobile antivirus scanner using the Kaspersky brand.

Security researchers from CA have spotted a bogus mobile antivirus scanner using the Kaspersky brand. Spreading through social engineering, and relying on hardcoded results, the rogueware attempts to trick users into thinking they’re malware-infected.

What about the monetization vector? SMS-based micro payments would have been the logical choice, however the hardcoded error message indicates an early stage experiment on behalf of the malicious attackers.

What do you think? Are we going to see a tremendous growth of scareware on mobile platforms, the way we’re currently witnessing it on the Windows OS?

Talkback.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Topics

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
41
Comments

Join the conversation!

Just In

if a user installed the malware means it succeeded.
Bakabaka 9th May
From what i understand, this app is disguised as a ligitmate antimalware software availible directly from Google Play the official outlet for Android apps. For that message could be a slight of hand trick to install keyloggers or other types of mallicious attack tools while feigning the n00bs and experts alike.

just to see howmany users can be reached by a potential attack is almost just as valuable to people that want to steal identities. It's like fishing (the real fishing not phishing)eventually you will get a bite.
0 Votes
+ -
RE: Fake antivirus for mobile platform spotted
Return_of_the_jedi Updated - 27th Apr 2011
Do any mobile device have a "C:\" drive?

Maybe it's targeted at Window phone 7 because of marketshare? NOT!
@Return_of_the_jedi

Thanks for the conformation on that. I'd be really worried now if I owned a phone with one of those OS's on it, since you don't target what you can't hack.
0 Votes
+ -
@John Zern everthing can be hacked. You can't be that naive can you?
0 Votes
+ -
@John Zern If you can get access to the supervisor/kernel, and know your way around the file system (whether it uses a drive letter as above, or a volume name), then you can 'hack' something.

That said, malware that tells you the device's C: drive is infected, when the device has no C: drive, would only catch the gullible.
0 Votes
+ -
RE: Fake antivirus for mobile platform spotted
mgaul Updated - 27th Apr 2011
@John Zern

Majority of people that have a Android of iDevice use windows. Through that it can be a reasonable conclusion to the average joe, that all computing devices are the same and operate the same. Therefore, all computers have a "C:" drive. Remember, not everyone is a tech savvy user.
@John Zern I think it's not so widely infected and a forgatable virus.
oyun
0 Votes
+ -
RE: Fake antivirus for mobile platform spotted
mikroland Updated - 27th Apr 2011
@Return_of_the_jedi

You can't be that iNaive can you?

Windows phone doesn't have a C:\ drive.
It doesn't matter anyway because it's just a message and has nothing to do with the file system.
0 Votes
+ -
@mikroland ...... This type of thing could easily trap the none IT individuals who wouldn't know the first thing about whether their phone has a c drive or not.
From what i understand, this app is disguised as a ligitmate antimalware software availible directly from Google Play the official outlet for Android apps. For that message could be a slight of hand trick to install keyloggers or other types of mallicious attack tools while feigning the n00bs and experts alike.

just to see howmany users can be reached by a potential attack is almost just as valuable to people that want to steal identities. It's like fishing (the real fishing not phishing)eventually you will get a bite.
0 Votes
+ -
@Return_of_the_jedi Symbian based phones, if I remember correctly, do. Or at least java swears they do.
0 Votes
+ -
RE: Fake antivirus for mobile platform spotted
Madushan Siriwardena 27th Apr 2011
@Return_of_the_jedi

C:\ drive may not be available... But consider this.

That emulator is sun's J2ME emulator.
If write a j2ME app and point to C:\, most of the time J2ME points this to phone's built in memory's root. (E:\ points to SD Card .etc) This works on symbian OS very well.

Windows Phone 7 doesn't allow direct access to storage. All apps see an isolated folder and cannot write or read data from storage. If you need to load a media file, you have to go through the media API and use Music + Videos Hub.
Unless you jailbreak the phone, apps are not allowed access to the storage (which sometimes is a pain in the butt). So don't have to worry about WP7.

We should always look at what we allow an application to do when we install it. Most platforms shows what permissions the app requires before installing it.
0 Votes
+ -
RE: Fake antivirus for mobile platform spotted
RAMChYLD Updated - 27th Apr 2011
@Return_of_the_jedi Yes, there are.

Nokia's Symbian devices. My N97 has a C:\ drive, a D:\ drive, and the MicroSD card is mapped as an E:\ drive.

Given that Symbian's roots are traced back to Psion who tried very hard to copy MS-DOS to make their devices accessible to suits who're used to PCs, tho, it's hardly surprising.

This is doubly funny when you realized that Nokia's ditching the Symbian platform soon.
0 Votes
+ -
@Return_of_the_jedi
Recently was infected with a similar virus on my desktop, it appears to have infected Malewharebytes so could not operate it to remove the problem
0 Votes
+ -
too funny
T Mike 27th Apr 2011
No, well my wm6.1 uses nothing like that above: c:\
- but hey, it could have changed for that wm6.5 & later.
I believe we are going to see an explosion of socially-engineered mobile malware in the remainder of 2011/2012. There is now more than enough critical mass in both the iPhone and Android markets to justify the effort required to create this malware and the thieves sense an opening, left by both the hyper-social nature of mobile computing as well as the general lack of a perceived threat.
0 Votes
+ -
I wondered when......
SilverPuppy 27th Apr 2011
I work in computing, and I frankly did wonder how long it would be before the evilware coders started attacking the mobile platforms. After all, there are so many billion of them in the world.....it's a huge untapped scam opportunity. Or was.
0 Votes
+ -
Thank you Microsoft.
james347 27th Apr 2011
For more disruption due to your incompetent products.
0 Votes
+ -
Re: Thank you Microsoft
coopejx@... 27th Apr 2011
@james347 How can you blame this on Microsoft ? Did they create or distribute this virus ? They didn't even create the emulator that it is displayed on.
0 Votes
+ -
Why blame Microsoft for anything? Right?
Joe.Smetona Updated - 28th Apr 2011
@coopejx@... After all, they just get their money and run. They can always get Ed to write another article dismissing Microsofts' culpability. If you know anything about Quality Assurance, you know that MS is the pitts. They don't accept responsibility or ownership for anything, even their own OS. After all, Anti-Virus companies and users are responsible for MS defects. Amazing dichotomy at work here, and most surprising is the number of people that go along with it. Wait till the botnets start pounding WP7 for some real gnashing of teeth.

It is very interesting to see the results of MS propaganda here in these comments. Actually very scary to see how much people can be manipulated.

Ms is viewed as the innocent victim. Where did that come from?
0 Votes
+ -
@james347 Did you thank Nissan when your Stanza was stolen? What about the US Mint when your jar of pennies was taken off your desk?

You might be better off if you just quit your bellying and grow up.
0 Votes
+ -
RE:Thank you Microsoft.
richdave 28th Apr 2011
@james347

Thank you and congratulations on being the first idiot to attack Microsoft. It truly does not matter that the piece made no specific mention of Microsoft re:malware in the mobile space. No, by golly, that didn't slow you down a bit.
0 Votes
+ -
It's pretty obvious.
Joe.Smetona Updated - 28th Apr 2011
@richdave ...Microsoft dedicated 0.4 billion to advertise WP7.

http://techcrunch.com/2010/08/26/microsoft-half-billion-dollars-windows-phone-7/

You ain't see'in it yet. And my opinion is Carriers are holding back and MS is holding back. They don't want to be stuck holding the bag for angry customers with botnet overages and listening to Ed Bott rant on how it's the carriers' fault.

They don't know how to sell AV to an Android and Apple market that doesn't need AV. Smartphones are grab-go-use devices and this crowd isn't going to tolerate AV or botnet infections sending out 2,400 spam emails a day on their data plan.

James347 has a very valid point. Microsoft, is closed source, which is no longer an effective way to protect an OS. (that's why MS always needs AV and the others do not). Something they haven't learned yet.

Linux (Android) source code has been available to everyone through the GNU/GPL license since version 1.0 in 1991. Microsoft doesn't want you to know Linux has been more secure than Windows even though it's complete kernel and OS blueprint has been available to everyone for 20 years. MS and posts here are primarily propaganda by omission.

If MS source code was ever published, it would lead to a Cyber-Armageddon. Guaranteed.

Your entire security with Windows is tied to the secrecy of its source code.
0 Votes
+ -
Microsoft sucks, so do I, can't afford an Apple....
0 Votes
+ -
Message has been deleted.
xiaojiekaqq Updated - 28th Apr 2011
0 Votes
+ -
These A-holes MUST BE STOPPED!
If it were up to me I'd impose a mandatory 10 years hard labor for anyone associated with writing, releasing, or distributing any type of malicious code.
Repeat offenders would be executed by public hanging.
0 Votes
+ -
@Cobranut Glad you're not a nation's leader; sounds like Adolf Hitler's offspring.
0 Votes
+ -
@MrElectrifyer Did you know that when D-Day started, Hitler was asleep and was not woken up to take the alerting phone call to bring in the reserves. Not even a text message.
0 Votes
+ -
If I'm right this has nothing to do with WP7, he just mentioned "Windows OS" because of the prevalence of fake anti-virus-viruses on the Windows PC operating systems.
0 Votes
+ -
Insecure.
Joe.Smetona Updated - 28th Apr 2011
@wafflesxo ..Unfortunately, MS is not designed with security in mind, rather the closed source concept is used to protect it. That may have worked in the beginning, but not now and the bridge is built, but it's all wrong.
0 Votes
+ -
Mobile malware is evolving
john_e_w 27th Apr 2011
@John Westra & @SilverPuppy: I totally agree with your points. I think mobile malware is following the "Law of Computer Virus Evolution":

In order for malicious programs targeting a particular operating system or platform to emerge, three conditions need to be fulfilled:
* The platform must be popular
* There must be well-documented development tools
* The presence of vulnerabilities or coding error

I would add a fourth:
* A user-base unaware/uninformed of the threat of malware
0 Votes
+ -
It's a Java MIDlet, running in the Sun WTK Emulator. So to do anything on the device it would ask for permissions first unless it was properly code signed, and even then it would ask for permissions the first time. Hardly a serious threat to the device, though a gullible user might sign up for something without realising what they are doing.
0 Votes
+ -
Finally, no more arguments about market share.
Joe.Smetona Updated - 28th Apr 2011
Windows will be targeted and without a sizable market share. Interesting to watch it develop.

Closed source is vulnerable because it's not designed with security in mind. Why do that when you can compile it and release the binary? No one will ever figure out what's going on. Right? happy
0 Votes
+ -
Download and try Android Honeycomb 3.0 for free.
Joe.Smetona Updated - 28th Apr 2011
Here's the link for the SDK and Honeycomb 3.0 download.

Try it on an extra PC or VM and discover what is really a hardware problem or a software problem.

http://developer.android.com/sdk/index.html
0 Votes
+ -
Sound advice
SiO2 29th Apr 2011
@Joe.Smetona
Nice, I need a new phone but I cant afford to experiment with all these new models.
I never thought of a VM, I run XP in one for LiveMail and VB, and boot the odd ISO now and again so it should be simple to find out what all the droid fuss is about for free. Cheers!
run to provide instructions in the Russian language.

strange.

as a newbie android tablet owner, i don't believe that being conditioned by the innate insecurity of windows to accept antivirus control of the machine will be a factor.

of course, i could be wrong.

so, back to the three laws of computing:
1. Backup
2. Backup
3. Backup

happy
.
0 Votes
+ -
Rule no. 1.
Joe.Smetona 28th Apr 2011
@wessonjoe ... Always download apps from a trusted source.

LInux Torvalds (founder of Linux) described security as a network of trust.
0 Votes
+ -
We have to be aware that more and more non-techy users will be getting smart phones and will demonstate amazing ignorance in security terms. Whatever the motivation is, it represents an opportunity for financial, anarchic, infamy gains.
0 Votes
+ -
Retarded Reporters
seaniepie 30th Apr 2011
@dancho you retarded reporter. This is old news from 2008!! It has nothing to do with ANY current device. Androids MarketPlace is a security shambles but this article has nothing to do with it. do you research first before reporting, idiot.
0 Votes
+ -
Thanks to Microsoft.
Fantastic news about the new release.I positively enjoying each little bit of it and I have you b o o k m a r k e d to check out new stuff you weblog post.Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix