Porn clicker keeps infecting apps on Google Play

Lately we informed you how a fake Dubsmash application has been uploaded to Google Play Store at least nine times, which have tens of thousands of installs. This porn clicker Trojan, which we detect as Android/Clicker, has once more become available for download from Play Store. After we notified Google and published an article about these fake Dubsmash Trojans, we discovered other fake Dubsmash versions being uploaded again infected with the same porn clicker. We detected yet another 51 Trojan porn clickers accessible for the users to download. Four of them had more than 10,000 installs and one of them had more than 50,000 installs.
This 51 together with 9 fake Dubsmash we reported in the previous article users were able to download 60 different Trojan clicker applications from Google Play. These Trojan clickers were downloaded at least 210,000 times in the last three months. In the weeks after our article was published, these apps were installed more than 106,000 times.
This time not only were fake versions of Dubsmash uploaded by the same developer, we also found Download Manager, Pou 2, Clash of Clans 2, Subway surfers 2, Subway surfers 3, Minecraft 3, Hay Day 2, various game cheats and Video Downloaders being infected with the same Trojan Clicker.

Figure 1 Fake Subway Surfers 2

Figure 2 Fake Dubsmash 2

Figure 3 Fake Dubsmash V3

ESET is still seeing occurrences of this infiltration on Google Play and, after more than a month, these fake Trojan Clickers are still managing to evade Google’s Bouncer malware filter and potentially exposing millions of users to risk.

Figure 4 Porn clicker apps from Google Play

Interestingly, none of the fake applications will add a Dubsmash app icon to the app menu after installation. Instead the malicious apps pretend to be arcade games like Flappy Birds Family, board games or system applications.

Figure 5 Examples of Trojan app icons

Following ESET’s notification, Google has pulled the malware from the Play Store and also reports some of them as potentially harmful applications using its built-in security service.

Figure 6 Google security service notification of potentially harmful app

Conclusion

Even though the malicious applications were available for download for at most a week, tens of thousands of people still installed them. Hopefully, Google is doing its best to fix this issue and find a way to prevent the developers of these porn clickers from publishing them to the Play Store. To reduce the risk from malicious apps that may have slipped through Google’s filtering, we advise Play Store customers to take careful note of reviews by other customers, and to ensure that their security software is kept up to date.

More information

App Name	Uploaded	Installs
Dubsmash 2	27 May 2015	0 - 10
Dubsmash V3	28 May 2015	10,000 – 50,000
Dubsmash 2	30 May 2015	10,000 – 50,000
Dubsmash 2	2 June 2015	0 - 10
Dubsmash 2	4 June 2015	0 - 10
Dubsmash 3	9 June 2015	0 - 10
Download Manager	9 June 2015	0 - 10
Dubsmash 2	10 June 2015	0 - 10
Poo Video Downloader	13 June 2015	0 - 10
Dubsmash 2	14 June 2015	10 - 50
Dubsmash 2	17 June 2015	10,000 – 50,000
Dubsmash 3	19 June 2015	1,000 – 5,000
Dubsmash 2	20 June 2015	10 - 50
Best : Dubsmash 3!	1 July 2015	0 - 10
Komboatic	1 July 2015	0 - 10
Best : Dubsmash	4 July 2015	10,000 - 50,000
C l a s h o f C l a n s 2	4 July 2015	100 - 500
Cheats for Clash of Clans	6 July 2015	5,000 - 10,000
Dubs Mash 2	6 July 2015	1,000 - 5,000
Cheats & Trucos: Gta 5	6 July 2015	10 – 50
Maps & Guide: GTA 5	6 July 2015	100 – 500
Subway Surfers 2	7 July 2015	50,000 – 100,000
Best : Dubsmash	7 July 2015	1,000 – 5,000
Clash of Clans 2	8 July 2015	0 - 10
Pou 2	8 July 2015	5,000 - 10,000
Subway Surfers 3	8 July 2015	1,000 - 5,000
Followers for Instagram	8 July 2015	10 - 50
MayHayda	8 July 2015	500 - 1,000
MayHada	8 July 2015	500 - 1,000
Man Kaptasi	8 July 2015	100 - 500
Smash Hit 2	9 July 2015	500 – 1,000
Miviki yanki	10 July 2015	1,000 – 5,000
Flipagram 2	10 July 2015	100 – 500
Koday	10 July 2015	0 - 10
Deer Hunter 2015	10 July 2015	0 - 10
Minecraft 3	13 July 2015	0 - 10
Red Ball 6	13 July 2015	50 - 100
Archery Master 4	13 July 2015	0 - 10
Exploration Lite 2	14 July 2015	100 - 500
Traffic Racer 2	14 July 2015	50 - 100
Hitman Sniper 2	14 July 2015	50 - 100
Batman 2	14 July 2015	10 - 50
The Walking Dead 2	14 July 2015	0 - 10
Moto Loko 2	14 July 2015	0 - 10
Rally Racer 2	14 July 2015	0 - 10
Dr Driving 2	14 July 2015	100 - 500
Survivor Heroes 2	15 July 2015	0 - 10
Dubsmash 2	15 July 2015	10 – 50
Hay Day 2	15 July 2015	0 -10
Subway Surfers 2	19 July 2015	10 - 50
Dubsmash 2	19 July 2015	10 - 50

Package Name	MD5	ESET Detection name
com.chbded.chs	73DB1E459DA78A7C831209B687B6C12F	Android/Clicker.M
com.jet.cleandub	9334DAD2F7C9422E0D1C740D646C19DB	Android/Clicker.J
com.jet.dubsh	48A4BE6A7A6CBAB9C4A674F99E5158AA	Android/Clicker.J
com.memr.gamess	AC8D9DEEE2B07EF3A7C5BD2FC01560F1	Android/Clicker.M
com.androsadfg.downloadmanager	6CACBDD667504DC564050D5DD5CF683B	Android/Clicker.M
com.jet.ayak	28C5A7E4FC2E7CD446E03A88939596FD	Android/Clicker.P
com.wngrd.mp3remote	093412BCA7984039F5369DE6308D4C47	Android/Clicker.M
com.jet.shdub	11D32B18A096AE2D0F3D054BA0131492	Android/Clicker.J
com.poo.downloader	B85EEF771BE83A33E233A8CA587C9B9D	Android/Clicker.P
com.poo.db	88C8F6715D5466DA7C1EB7DBAB7584A8	Android/Clicker.P
com.poo.smm	13AFF08E4733C953BC7DE6A5D7C02FD2	Android/Clicker.P
com.huynoibomira.bobo	A845279F215ED6966B45D64E3369A1F2	Android/Clicker.M
com.ti.basegam	656E573C1277EE6607A0403CAA02AE25	Android/Clicker.M
com.biz2048.yilinda	331C93AFACD1433A2ECD7E5E7AEE9ADF	Android/Clicker.M
com.rikona.sa	390AE01ED49CBBE14EA91F347E806D8F	Android/Clicker.M
com.kankalar.cheats	167ABC463BC9C7A2D1EDC0E383806499	Android/Clicker.M
com.kankalar.clash2	F297E5A18A4025ECB0F34C8BF905B3F1	Android/Clicker.M
com.kankalar.elma	5AF9E1DE3D1D19DACB1AA98288E1CA25	Android/Clicker.M
com.sulale.chetastga	08B320694B898B0F6402FA8B45D301F8	Android/Clicker.M
com.sulale.cimmi	249A0660F18C53D91B58A680D78E9EC4	Android/Clicker.M
com.sulale.dubb	D11BB0B91595E6B6DE89FB7BF2C92F83	Android/Clicker.M
com.poo.cofc	4FBC4AB39C704088902A6C114A44F0F3	Android/Clicker.Q
com.poo.po	98961261BC663F4D3E6F073CE6575A48	Android/Clicker.Q
com.poo.way	3E62E455A15D99762198F8C5779F81AF	Android/Clicker.Q
com.poo.x	DC78620AA75EDBB846776760A88AE17A	Android/Clicker.Q
com.nguyenngocjumraze.suuu	21679FE29217DB6925B17CC4BF1FCE9B	Android/Clicker.M
com.nguyenngocjumraze.takip	3FD37BB6250F08A58C8932C630F57C4C	Android/Clicker.M
com.fet.hiye	47BE311A6CDA5B4981DB282CA1884BC9	Android/Clicker.M
com.kendo.yako	B0345E9392F2C79D2403B18FB7FFD419	Android/Clicker.M
com.nhantieplosengazi.flip	44D7A2E9B3D106C4D41311E23350A813	Android/Clicker.M
com.nhantieplosengazi.kivi	189E5E23A99AF963DBFD70FD9552661E	Android/Clicker.M
com.phutanjocohare.conc	CB6A3918CFFA7BEEF2EAD6E5C60F2A3E	Android/Clicker.M
com.phutanjocohare.jat	647987E48CF037E57CEEC6CB282F8124	Android/Clicker.M
com.phutanjocohare.may	9E4B0ADC7B4CF2353859EADBB928C688	Android/Clicker.M
com.pupa.yelken	5B35B0D5E04F9CDCFFF66D376805ADDF	Android/Clicker.M
com.xuanjonaterilove.sma	402AEF32A99C71602A51FF8A36F5ABFE	Android/Clicker.M
com.fryzombisaren.haa	4462CDA324E272FA63511D77486B82B9	Android/Clicker.M
com.fryzombisaren.hte	12D2DF188BAF7523BB04AC7735E6C818	Android/Clicker.M
com.cor2.lu	FAD2ABC5DBD0F081EB3E9509EA7840E9	Android/Clicker.M
com.eski.hisar	8C4AC0AD1435264D3219DB45FEC627F9	Android/Clicker.M
com.isken.derun	EC6359CEF3E0933467F62DD31F20AF09	Android/Clicker.M
com.kasta.monu	0D93F4278FC8288CEAA8FE5933BA64C6	Android/Clicker.M
com.manisa.turgutlu	FFB92BA3236CC5C9DF9A2EF5EDB3BDE2	Android/Clicker.M
com.pamuk.kale	474EA15E00B1EF9A29F1BF624B78FA4B	Android/Clicker.M
com.thanhbangzerisa.bat	1C4C8380C51CECDA01D40A841601A0BD	Android/Clicker.M
com.thanhbangzerisa.de	FE6B42F3872014C1CB4374611676B754	Android/Clicker.M
com.thanhbangzerisa.ex	97804ADBA13B706A3EA232FD28DC9B4D	Android/Clicker.M
com.thanhbangzerisa.hi	AF96768436794CE6161A4A62C82F5A0D	Android/Clicker.M
com.thanhbangzerisa.tita	E3E4984C3143B8461B38B187A31A0BEF	Android/Clicker.M
com.xuantonglazaderi.du	D59B2C7A28AE19FF2B85DB9C2EEEF29B	Android/Clicker.M
com.xuantonglazaderi.su2	1E5B2B33CF0A4AE45BF29C7C848C5F60	Android/Clicker.M

ที่มา : welivesecurity.com

แอพพลิเคชั่นบน Google Play ขโมยข้อมูลประจำตัวของ Facebook

ผู้ใช้ Android กว่า 500,000 หลาย ตกเป็นเหยื่อของมัลแวร์ที่มาขโมยข้อมูลประจำตัวของ Facebook ซึ่ง ESET ได้ตรวจจับโทรจันเหล่านี้เป็น Android/Spy.Feabme.A
วิเคราะห์มัลแวร์โดย: Lukáš Stefanko
นักวิจัยจากบริษัท ESET ได้แจ้งเตือนแอพพลิเคชั่นไม่พึงประสงค์ประเภทโทรจันที่มีความสามารถในการ ขโมยข้อมูลรหัสผ่าน Facebook ของผู้ใช้ โดยเป็นแอพที่ชื่อ “Cowboy Adventure” และ “Jump Chess” ซึ่งเป็นเกมที่ได้รับความนิยมอย่างมากใน Google Play ทั้งสองแอพมีผู้ดาวน์โหลดไปแล้วกว่า 500,000 – 1,000,000 หลาย


แอพพลิเคชั่นดังกล่าวจะแสดงหน้าต่างล็อคอินปลอมของ Facebook แล้วหลอกให้ผู้ใช้กรอกข้อมูล โดยข้อมูลเหล่านี้จะถูกส่งไปยังเซิร์ฟเวอร์ของผู้ไม่หวังดี

ปัจจุบัน Google ได้ลบทั้งสองแอพนี้ออกจาก Google Play แล้ว และยังแสดงข้อความแจ้งเตือนเมื่อทำการติดตั้งบนอุปกรณ์ Android

กลไกการรักษาความปลอดภัยของ Google ได้รับการปรับปรุงซึ่งมีการปรับลดความเสี่ยงของการติดเชื้อมัลแวร์สำหรับผู้ใช้ Android
ข่าวดีก็คือว่าแม้ว่าจำนวนของผู้ที่ตกเป็นเหยื่อมากถึงล้านคน แต่ก็มีอีกจำนวนมากที่ไม่ได้ถูกหลอก โดยพวกเขาแสดงความคิดเห็นในเชิงลบในส่วนการแสดงความคิดเห็นของผู้ใช้

จากตัวอย่างของมัลแวร์ Android นี้ ทำให้เราตระหนักถึงการใช้งานแพลตฟอร์มโทรศัพท์มือถือของ Google ดังนี้:
1. แนะนำให้ดาวน์โหลดแอพพลิเคชั่นอย่างเป็นทางการจาก Google Play มากกว่าจากร้านค้า app แหล่งที่ไม่รู้จัก หรืออื่นๆ แม้ว่า Google Play จะไม่ปลอดภัยจากมัลแวร์ 100% แต่พวกเขาจะมีกลไกการรักษาความปลอดภัยที่แข็งแกร่งเพื่อกำจัดโทรจันออก
2. ดาวน์โหลดแอพพลิเคชั่นจากนักพัฒนา app ที่น่าเชื่อถือเท่านั้นและควรตรวจสอบการให้คะแนนและแสดงความคิดเห็นของผู้ ใช้ พฤติกรรมการหลอกลวงของเกม Cowboy Adventure ก็สังเกตเห็นได้อย่างรวดเร็วโดยผู้ใช้ นอกจากนี้ควรอ่านข้อความเพื่อตรวจสอบสิทธิ์ที่ app จะขอระหว่างการติดตั้ง
3. ไม่ประมาทและควรใช้โปรแกรมป้องกันมัลแวร์บนโทรศัพท์ Android ของคุณ ซึ่ง ESET Mobile Security สามารถตรวจพบเกมที่เป็นอันตรายเป็น มัลแวร์ที่ชื่อว่า Android/Spy.Feabme.A

ที่มา : blog.eset.co.th

Create strong passwords

 
ข้อควรรู้เกี่ยวกับการ ตั้ง password อย่างไรให้ปลอดภัย รวมถึงการเข้าใช้งานให้ปลอดภัย
เนื่องด้วยยุคปัจจุบัน มีการพัฒนาเครื่องมือในการถอดรหัส ที่มีความสามารถสูงขึ้นเรื่อยๆ
เราจึงควรเรียนรู้วิธีตั้ง password เพื่อเพิ่มความปลอดภัยให้กับบัญชีของตัวเอง

1.ควรตั้ง password อย่างน้อย 8 ตัวอักษรขึ้นไป
2.ไม่ใช้ตัวเลข หรือตัวอักษรอย่างเดียว เช่น 111111,123456, abcdef , ABCDEF , AAAAAA
3.รหัสผ่านควรใช้ตัวอักษร ผสมตัวเลข และสัญลักษณ้พิเศษ
4.ไม่ควรใช้ password เดียวกัน ในการเข้า Log in account ต่างๆเช่น gmail,hotmail,facebook,yahoo,Internet banking เป็นต้น
5.หลีกเลี่ยงการใช้ วันเดือนปีเกิด หรือชื่อตัวเองหรือบุคคลในครอบครัว เพื่อนสนิท
6.หลีกเลี่ยงคำที่เป็นชื่อเรียกต่างๆ ที่มีอยู่ในพจนานุกรม
7.อย่าเลือก option ของการจดจำรหัสของ browser หรือ keep me signed in(Outlook)

อีกเทคนิคหนึ่งที่ใช้ได้ผลดี คือเปลี่ยนเป้นภาษาที่ user ใช้
เช่น เปลี่ยนเป็นภาษาไทย+ภาษาอังกฤษเล้กใหญ่+ตัวเลข+สัญลักษณ์
ส่วนจะผสมกันยังไงก็ลองไปตั้งดูครับ

ข้อควรจำ
1.หลีกเลี่ยงการ login ผ่านเครื่องคอมพิวเตอร์ผู้อื่นหรือเครื่องสาธารณะหรือร้านเกมส์ต่างๆ
2.อย่าส่งหรือบอกรหัสผ่านกับใคร
3.ไม่ควรจดรหัสผ่านลงในกระดาษหรือสมุดบันทึก หรือถ้าจดต้องเก็บไว้ในที่ปลอดภัยโดยเฉพาะรหัสเกี่ยวกับทางด้านการเงินการธนาคาร
4.ควรเปลี่ยนรหัสผ่านบ้าง อาจเป็น 3 เดือน หรือ 6 เดือน

ตัวอย่างการทดสอบ

ถ้าอยางทดสอบว่า Password ที่เราตั้งนั้นมีความปลอดภัยมากน้อยแค่ไหน
สามารถใช้บริการของทาง microsoft  ได้ตาม Link ด้านนี้ครับ

Microsoft
https://www.microsoft.com/security/pc-security/password-checker.aspx

Kaspersky Lab
https://blog.kaspersky.com/password-check

อันนี้เป็นของ howsecureismypassword.net

http://www.passwordmeter.com

อื่นๆ
http://www.yetanotherpasswordmeter.com

Free Toolbar Cleaner & Remover Tools for your browsers

RECOMMENDED: Click here to fix Windows errors and optimize system performance

We have already seen how to manually uninstall some toolbars which may have got installed on your Internet Explorer, Chrome, Firefox, Opera or other browsers. While in most cases it may be possible to uninstall them via the Control Panel or the respective browsers’ Add-ons Manager, in some cases, it may not be possible and you may have to use some tools to remove such persistent toolbars.
Some toolbars which are difficult to remove are Ask toolbar, Babylon toolbar, AVG SecureSearch, SiteSafety, MyFree toolbar, C duit toolbar, ZXY toolbar, Anonymization toolbar, GameNext toolbar, MPire toolbar, MyWebSearch toolbar, NetCraft toolbar, People Search toolbar, Public Record toolbar, Zango toolbar, Elite toolbar, etc. The list is endless, with many wanting to push toolbars for various reasons. It could be for making money with every install, for pushing pop-ups or for tracking down your computer usage.
In this post we will see some free Toolbar Removers that may help you with the job.

Toolbar Removers

As mentioned earlier, while most genuine toolbars like the Google, Bing, Yahoo, etc toolbars can be uninstalled completely from the Control Panel, others like the Ask toolbar, Babylon toolbar, AVG SecureSearch, SiteSafety, etc. may not be so easy to uninstall via the Control Panel or by using the browsers Addons Manage – for such nasty toolbars, you could use any one of these free tools.
Make sure that you close all browsers before you run the toolbar removal tool.

Toolbar Cleaner

Toolbar Cleaner  for Windows can be used to remove toolbars from Internet Explorer, Mozilla Firefox or Google Chrome. It scans the browsers for installed toolbars, BHO’s and extensions, and displays all of them in its interface.  During installation it will ask you to install Anti-phishing Domain Advisor and set MyStart as the home page. You may want to uncheck these options.

Multi-Toolbar Remover

The Multi-Toolbar Remover offers limited support. It will only help removed selected toolbars like AOL, Comcast and so on.

The Toolbar Uninstaller

The Toolbar Uninstaller helps get rid of unwanted toolbars. Many programs come bundled with a toolbar that gets installed automatically if you don’t pay attention during the installation.

Avast Browser Cleanup Tool

Avast Browser Cleanup Tool will scan all your browsers and list down add-ons, plugins and toolbars which have a poor reputation. You don’t need to have Avast Antivirus installed on your computer to be able to use it.

Smart Toolbar Remover

Smart Toolbar Remover will work on IE, Firefox and Chrome and will identify and help remove toolbars.

AdwCleaner

AdwCleaner searches for and helps delete Toolbars, Browser Hijackers (BHO) and Potentially Unwanted Programs (PUP)  from your computer.

Junkware Removal Tool

Junkware Removal Tool searches for and removes common toolbars, and potentially unwanted programs from your computer. It removes Ask Toolbar, Babylon, Browser Manager, Claro / iSearch, Conduit, Coupon Printer for Windows, Crossrider, DealPly, Facemoods, Funmoods, iLivid, Iminent, IncrediBar, MyWebSearch, Searchqu and Web Assistant presently. It is available here.

Ask Toolbar Remover

Use this Ask Toolbar Remover from Ask.com to remove the unpopular Ask Toolbar.

Toolbar Cleaner

Soft4Boost Toolbar Cleaner is a free toolbar uninstaller software, which removes all unwanted toolbars, addons, plugins from your Windows PC in real time, for any browser.
Even after you uninstall most toolbars, it will not reset your home page and search engine back to your old defaults. You will have to do so manually.
ที่มา : thewindowsclub.com

New Version of TeslaCrypt Changes Encryption Scheme

New Version of TeslaCrypt Changes Encryption Scheme

by Dennis Fisher    July 14, 2015 , 2:26 pm

A new version of the nasty TeslaCrypt ransomware is making the rounds, and the creators have added several new features, including an improved encryption scheme and some details designed to mimic CryptoWall.

TeslaCrypt is among the more recent variants of ransomware to emerge and the malware, which is a variant of CryptoLocker, is unique in that it targets files from gaming platforms as well as other common file types. Version 2.0.0 of TeslaCrypt, discovered recently by researchers at Kaspersky Lab, no longer uses a typical GUI to show users the warning about their files being encrypted. Instead, the malware opens a page in the user’s browser to display a warning message that is taken directly from CryptoWall.

That change, researchers speculated, could be a way to make TeslaCrypt seem more intimidating.

“Why use this false front? We can only guess – perhaps the attackers wanted to impress the gravity of the situation on their victims: files encrypted by CryptoWall still cannot be decrypted, which is not true of many TeslaCrypt infections,” Fedor Sinitsyn of Kaspersky Lab wrote in an analysis of the new ransomware. 

But the more significant modification in version 2.0.0 is the inclusion of an updated encryption method. TeslaCrypt, like many other ransomware variants, encrypts the files on victims’ machines and demands a payment in order to obtain the decryption key. The payment typically must be in Bitcoin and the attackers using crypto ransomware have been quite successful in running their scams. Estimates of the revenue generated by variants such as CryptoLocker run into the millions of dollars per month.

Researchers have had some success in finding methods to decrypt files encrypted by ransomware, specifically TeslaCrypt. But the change to the malware’s encryption method may make that more difficult.

“The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm. The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone,” Sinitsyn said.

“Each file is encrypted using the AES-256-CBC algorithm with session_priv as a key. An encrypted file gets an additional extension, ‘.zzz’. A service structure is added to the beginning of the file, followed by encrypted file contents.”

The TeslaCrypt authors also took out the decryption mechanism in the malware that researchers were able to exploit in previous versions.

- See more at: https://threatpost.com/new-version-of-teslacrypt-changes-encryption-scheme/113786#sthash.iec6Yax9.dpuf

ที่มา : Threatpost.com

Trojan porn clicker : The clicker" Zombie malware Part2

#แจ้งเตือน #
"The clicker" Zombie malware
หรือ Trojan porn clicker 
**************************************************************

“The Clickers” – Zombie Malware that feed on the mobile ecosystem

Posted 07/13/2015 by Lori Zhang & filed under malware, potentially unwanted app, zero-day.

Authors: Tianfang Guo, Jinjian Zhai; Special Thanks: Steven Chen

Last week, Trustlook exposed the Facebook credential phishing malware “Cowboy Adventure”. In the article we pointed out that phishing is one kind of behavior that is difficult to detect via an automated technical approach. This may be one reason it sneaked by the Google Play Store’s  “Bouncer” automated security check.
In this article, we will highlight several examples of Zombie malware on Google Play we very recently uncovered. These are Called  – “The “Clickers”.They commit another stealthy kind of malicious behavior, that  will likely be overlooked by automated analysis solutions.
“Clicker” is a malware that affects a large part of the mobile ecosystem creating fraud for the vendors, spamming the networks and exploiting the resources of user the community. This form of malware launches requests through Advertizing links. “Clickers” generate costly, false user traffic for advertisers, while draining the user’s battery life and consuming their monthly data plan bandwidth allowances. Everyone loses when a “Clicker” is unleashed.


The latest malware we detected is called “Best: Dubsmash”. It has no actual functionality other than a confusing UI. Most users are likely to spend some time to figure out what it does. In the mean time, let’s see what is doing in the background:

Communicate a C&C server. This server will serve the target URL that needs users to click.
According to our test, this URL will give different URLs each time you refresh it. Most of the URLs are porn sites.
Our behavioral analysis shows the Zombie requests are generated by using invisible webview calls, in a continuous 20s time interval. There goes the user’s battery life and bandwidth. data plan. Also it will (or rather should) create events on a properly monitored corporate network. Just what your SecOps team needs, right? More Spam remediation.

As of Jul 13 PST 2:40PM, this app, as well as 3 similar “clickers” are still alive on Google Play. We already reported this issue to our colleagues at Google Play and will look forward to timely remediation.

ที่มา : blog.trustlook.com

Trojan porn clicker : The clicker" Zombie malware Part1

Security news, views and insight from the ESET experts

ESET uncovers another porn clicker on Google Play

By Lukas Stefanko 

Recently, Avast researchers discovered the Trojan porn clicker uploaded to Google Play Store and posing as “Dubsmash 2”. This clicker pretended to be an official application, and was downloaded more than 100,000 times. While the click fraud activity did not cause direct harm to the victims such as stealing credentials, it does generate a lot of internet traffic and may cause high data charges for victims that have a restricted data plan, leaving them with high cellphone bills at the end of the month.

Less than a month later, ESET researchers discovered that a plethora of variants of this same fake Dubsmash application found their way on to the official Google Play, showing the very same icons and preview pictures.

While this threat is entirely different from the one we documented last week, both cases are similar in the sense that they managed to get into the Google Play Store when they should have been rejected.

Figure 1 Fake Dubsmash 2 from Google Play – available between May 20 and May 22

The latest Dubsmash 2 Trojan was uploaded to Play Store on May 20, 2015 and pulled on May 22, 2015. In the two days during that it was available for download, it was downloaded more than 5,000 times. The malware once again used a clicker technique identical to that used in its earlier version.

The author of the malware didn’t wait too long before uploading another version of the porn clicker to Google Play on May 23, 2015, passed off as Dubsmash v2. After three days the application had been downloaded more than ten of thousands of times. On May 25, 2015 and on May 26 2015 Dubsmash 2 was uploaded to the Play Store for the fourth and fifth time with the same malicious code implemented. It’s very rare for malware to be uploaded to official Play Store with the same functionality so many times over such a short period.

Figure 2 Fake Dubsmash v2 – May 23

Figure 3 Fake Dubsmash 2 – May 25

Figure 4 Fake Dubsmash 2 – May 26

ESET security software detects this threat as Android/Clicker Trojan. The fake applications were quickly removed from Play Store after we notified Google.

Figure 5 Android/Clicker Trojan removed from Google Play

After further research we discovered that these four applications were not the only Dubsmash 2 applications uploaded to the Google Play Store. We found another four applications that were removed from the Play Store in the past. ESET identified nine Trojan Clicker applications altogether that were made available for download, disguised as fake Dubsmash 2 applications.

Figure 6 Other Dubsmash 2 variants

Analysis

After installation, the user will not find any new Dubsmash icon on the device. The newly installed app’s icon or name has nothing in common with the real Dubsmash application. Mostly it pretends to be a simple arcade game or system application. After startup, the application hide its launching icon, but it is still constantly running in the background, accessing porn pages to generate revenue via click fraud.

Figure 7 Dubsmash 2 icons

Malicious activity is triggered when the device changes its connection. It’s not difficult to get the server URL address, as the app developer did not encrypt URLs this time. The server URL can be found in the code in plaintext. But there is one interesting change from the last version. Malicious code will not be executed if anti-virus software is installed on the device. The Trojan checks installed applications, based on package names, against the names of 16 anti-virus vendors. Package names are dynamically requested from server over HTTP. Package names can be easily updated to add other anti-malware applications. When the Trojan is installed it may not yet be detected by all AV solutions, but in many cases AV vendors can block URLs on request if they are found to be malicious. In one case the Trojan uses the server to communicate with as in its earlier version. It’s very suspicious when the user is warned that his device is trying to request data from a server that has already been blocked. At this point, the user may be alarmed to find that something suspicious is going on.

Package Name
com.eset.ems2.gp
com.kms.free
com.avast.android.mobilesecurity
com.symantec.mobilesecurity
com.antivirus
com.drweb
com.cleanmaster.mguard
com.cleanmaster.security
com.avira.android
com.wsandroid.suite
com.drweb.pro
org.antivirus
com.s.antivirus
jp.naver.lineantivirus.android
org.antivirus.tablet
org.antivirus.tcl.plugin.trial_to_pro

If none of these applications are installed then Dubsmash 2’s true functionality is initiated. The Trojan will demand porn links from its server. These links will be loaded every 60 seconds into WebView inside an invisible window, with a random clicking pattern applied.

Conclusion

It looks as if the official Play Store has still some weak spots, given that the same malicious applications were uploaded and offered to more than ten of thousands of users for the fourth time in just a month. The developer misused the name of a popular, for his own financial gain. We advise users to read reviews even when the application is not requesting any harmful or suspicious permissions.

More information

Package name	MD5	ESET Detection name
com.mym.gms	BC72AD89E02C5FAA8FD84EBE9BF9E867	Android/Clicker.M
com.jet.war	8788B7C60BC9021A5F6162014D7BD1A6	Android/Clicker.L
com.lh.screens	A2CCD03A1997F86FB06BD1B21556C30F	Android/Clicker.M
com.jet.sman	6E20146EB52AEA41DB458F494C3ED3E6	Android/Clicker.J

Author Lukas Stefanko, ESET

ที่มา :www.welivesecurity.com

ในการทดสอบผ่าน Virustotal นั้นไฟล์ผ่านการตรวจสอบไม่ฟ้องว่าเป็น malware ในช่วงแรก

ESET ตรวจพบคือ Android/Spy.Feabme.A
ซึ่ง trojan จะหลอกให้ผู้ติดตั้ังเกมส์ ใส่ user และ password ใน Facebook login ปลอม เพื่อขโมยรหัสและข้อมูลส่วนตัว และยังส่ง spam ไปหาเพื่อน เพื่อเป็นการกระจายการ download และเพิ่มจำนวนผู้ติดเชื้อ

http://virusradar.com/en/Android_Spy.Feabme.A/description

รายละเอียดเชิงลึก
http://blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/

  *********************************************************************

Apps on Google Play Steal Facebook Credentials

By Robert Lipovsky posted 9 Jul 2015 - 01:16PM

Over 500,000 Android users targeted by phishing apps harvesting their Facebook credentials. ESET detects these trojans as Android/Spy.Feabme.A

Malware Analysis by: Lukáš Štefanko

With 500,000 – 1,000,000 installs, Cowboy Adventure was a relatively popular game on the Google Play store. That popularity in itself is unremarkable: however, the developers of the app also used it as a tool to harvest Facebook credentials, and that did raise a few eyebrows. It was one of two games spotted by ESET malware researchers that contained this malicious functionality, the other one being Jump Chess.

Unlike some other Android malware, these apps did contain legitimate functionality (they actually were real games) in addition to the fraud. The problem lies in the fact that when the app is launched, a fake Facebook login window is displayed to the user. If victims fell for the scam, their Facebook credentials would be sent to the attackers’ server.

That was the bad news. The latest version of Cowboy Adventure at the time Google took it down from their official market last week was 1.3. This trojanized game had been available for download from Google Play since at least April 16, 2015, when the app was updated. We are not sure how many users had their Facebook credentials compromised.

Jump Chess – from the same developer – had been available for download since April 14, 2015, but fortunately it was less successful than Cowboy Adventure, with only 1,000 – 5,000 installs.

The good news is that Google has taken down both of the apps from their app store and also warns against their installation on Android devices:

Google’s security mechanisms have been improving, which has lowered the risk of getting infected by malware for Android users.

Another piece of good news is that even though the number of potential victims may have been up to one million, there were many of them who were not tricked by the scam. They expressed their negative opinions in the user comments for the app:

Our analysis of these malicious games has shown that the applications were written in C# using the Mono Framework. The phishing code is located inside TinkerAccountLibrary.dll. The app communicates with its C&C server through HTTPS and the address to which to send the harvested credentials (also known as the ‘drop zone’) is loaded from the server dynamically.

This example of Android malware reminds us of a few basic principles that help us to stay safe when using Google’s mobile platform:

• Always favor downloading apps from the official Google Play store rather than from alternative app stores or other unknown sources. Even though Google Play is not 100% malware free, they do have strong security mechanisms to keep trojans out.
• Download apps only from trustworthy app developers and always check the ratings and user comments. The scam behavior of Cowboy Adventure was quickly noticed by users. Also take a minute to review the permissions that an app is asking for during installation.
• Don’t underestimate the necessity for an anti-malware scanner on your Android phone. ESET Mobile Security detects the malicious games as Android/Spy.Feabme.A.

UPDATE: After proofing, as this article was on its way to press, we discovered that Trustlook also published their analysis of this trojan yesterday. Check out their blog post for interesting additional technical details.

Author Robert Lipovsky, ESET