"Malware Fix รวมวิธีแก้ปัญหา virus computer โครงการทำดีเพื่อสังคม" "ต้องขออภัยผู้เยี่ยมชมทุกท่านนะครับ ที่เ้ข้ามาแล้ว ไม่ค่อยได้มีการ update หรือทดสอบ virus ตัวใหม่ๆ เนื่องจากภาระหน้าที่การงาน"

Alert


Photobucket
แจ้งเตือนภัย ! Crypt0L0cker (Ransomware)
เข้ารหัสข้อมูลใน คอมพิวเตอร์ กำลังระบาดในไทย
และกำลังระบาดหนักในเกาหลี
ThaiCERT , Crytpo Prevention Tool

*ห้ามจ่ายเงินโดยเด็ดขาด เพราะจะเสียทั่้งเงินและกู้ข้อมูลไม่ได้
รบกวนคนที่เข้ามาอ่านช่วยแชร์ด้วยนะครับ
How to remove Crypt0L0cker

7/14/2558

Trojan porn clicker : The clicker" Zombie malware Part1

ESET uncovers another porn clicker on Google Play


Recently, Avast researchers discovered the Trojan porn clicker uploaded to Google Play Store and posing as “Dubsmash 2”. This clicker pretended to be an official application, and was downloaded more than 100,000 times. While the click fraud activity did not cause direct harm to the victims such as stealing credentials, it does generate a lot of internet traffic and may cause high data charges for victims that have a restricted data plan, leaving them with high cellphone bills at the end of the month.
Less than a month later, ESET researchers discovered that a plethora of variants of this same fake Dubsmash application found their way on to the official Google Play, showing the very same icons and preview pictures.
While this threat is entirely different from the one we documented last week, both cases are similar in the sense that they managed to get into the Google Play Store when they should have been rejected.
Figure 1 Fake Dubsmash 2 from Google Play – available between May 20 and May 22
Figure 1 Fake Dubsmash 2 from Google Play – available between May 20 and May 22
The latest Dubsmash 2 Trojan was uploaded to Play Store on May 20, 2015 and pulled on May 22, 2015. In the two days during that it was available for download, it was downloaded more than 5,000 times. The malware once again used a clicker technique identical to that used in its earlier version.
The author of the malware didn’t wait too long before uploading another version of the porn clicker to Google Play on May 23, 2015, passed off as Dubsmash v2. After three days the application had been downloaded more than ten of thousands of times. On May 25, 2015 and on May 26 2015 Dubsmash 2 was uploaded to the Play Store for the fourth and fifth time with the same malicious code implemented. It’s very rare for malware to be uploaded to official Play Store with the same functionality so many times over such a short period.
dubsmashv2Top_1
Figure 2 Fake Dubsmash v2 – May 23
Figure 3 Fake Dubsmash 2 – May 25
Figure 3 Fake Dubsmash 2 – May 25
Figure 4 Fake Dubsmash 2 – May 26
Figure 4 Fake Dubsmash 2 – May 26
ESET security software detects this threat as Android/Clicker Trojan. The fake applications were quickly removed from Play Store after we notified Google.
Figure 5 Android/Clicker Trojan removed from Google Play
Figure 5 Android/Clicker Trojan removed from Google Play
After further research we discovered that these four applications were not the only Dubsmash 2 applications uploaded to the Google Play Store. We found another four applications that were removed from the Play Store in the past. ESET identified nine Trojan Clicker applications altogether that were made available for download, disguised as fake Dubsmash 2 applications.
Figure 6 Other Dubsmash 2 variants
Figure 6 Other Dubsmash 2 variants

Analysis

After installation, the user will not find any new Dubsmash icon on the device. The newly installed app’s icon or name has nothing in common with the real Dubsmash application. Mostly it pretends to be a simple arcade game or system application. After startup, the application hide its launching icon, but it is still constantly running in the background, accessing porn pages to generate revenue via click fraud.
Figure 7 Dubsmash 2 icons
Figure 7 Dubsmash 2 icons
Malicious activity is triggered when the device changes its connection. It’s not difficult to get the server URL address, as the app developer did not encrypt URLs this time. The server URL can be found in the code in plaintext. But there is one interesting change from the last version. Malicious code will not be executed if anti-virus software is installed on the device. The Trojan checks installed applications, based on package names, against the names of 16 anti-virus vendors. Package names are dynamically requested from server over HTTP. Package names can be easily updated to add other anti-malware applications. When the Trojan is installed it may not yet be detected by all AV solutions, but in many cases AV vendors can block URLs on request if they are found to be malicious. In one case the Trojan uses the server to communicate with as in its earlier version. It’s very suspicious when the user is warned that his device is trying to request data from a server that has already been blocked. At this point, the user may be alarmed to find that something suspicious is going on.
Package Name
com.eset.ems2.gp
com.kms.free
com.avast.android.mobilesecurity
com.symantec.mobilesecurity
com.antivirus
com.drweb
com.cleanmaster.mguard
com.cleanmaster.security
com.avira.android
com.wsandroid.suite
com.drweb.pro
org.antivirus
com.s.antivirus
jp.naver.lineantivirus.android
org.antivirus.tablet
org.antivirus.tcl.plugin.trial_to_pro
If none of these applications are installed then Dubsmash 2’s true functionality is initiated. The Trojan will demand porn links from its server. These links will be loaded every 60 seconds into WebView inside an invisible window, with a random clicking pattern applied.

Conclusion

It looks as if the official Play Store has still some weak spots, given that the same malicious applications were uploaded and offered to more than ten of thousands of users for the fourth time in just a month. The developer misused the name of a popular, for his own financial gain. We advise users to read reviews even when the application is not requesting any harmful or suspicious permissions.

More information

Package name
MD5
ESET Detection name
com.mym.gmsBC72AD89E02C5FAA8FD84EBE9BF9E867Android/Clicker.M
com.jet.war8788B7C60BC9021A5F6162014D7BD1A6Android/Clicker.L
com.lh.screensA2CCD03A1997F86FB06BD1B21556C30FAndroid/Clicker.M
com.jet.sman6E20146EB52AEA41DB458F494C3ED3E6Android/Clicker.J
Author Lukas Stefanko, ESET

ที่มา :www.welivesecurity.com

ไม่มีความคิดเห็น:

แสดงความคิดเห็น

Information

==============================================
PeeTechFix >> JupiterFix
==============================================
Photobucket

วิธีใช้งาน : JupiterFix-Win32.PSW.OnlineGames
ท่านสามารถตรวจสอบรายชื่อ Virus ที่โปรแกรม สามารถ Clean ได้ ใน VirusList.txt
-------------------------------------------------------------------------------------
ท่านใดที่ Download PeeTechFix tool ไปใช้แล้วมีปัญหาหรือลบไม่ออก โปรดแจ้งปัญหา ที่ email : MalwareHunter.info@gmail.com ด้วยครับ หรือส่งไฟล์ virus ให้ด้วย จะขอบพระคุณอย่างยิ่ง
-------------------------------------------------------------------------------------
Safemode Recovery (.reg) แก้ปัญหา Virus ลบ Key Safeboot แล้วเข้า safemode ไม่ได้
------------------------------------------------------------------------------------
วิธีแก้ Error message (แก้อาการเปิดไฟล์ .exe ใน USB Drive ไม่ได้)
"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator"
วิธีแก้ ดูที่ link นี้ครับ
-------------------------------------------------------------------------------------
วิธีแก้ MSN /Windows Live Messenger Disconnect (จาก virus OnlineGames)
-------------------------------------------------------------------------------------
How to start Windows in Safe Mode

Popular Posts