New OpFake Android Malware Entices Users With Opera Mini Browser

There is a new variant of the OpFake mobile malware making the rounds, and this version comes bundled with a version of the legitimate Opera Mini mobile browser. The malware targets Android phones and steals money from victims by sending SMS messages without the user's knowledge to premium-rate numbers and also collects data about the device it infects.

Researchers at GFI Labs discovered the new variant of OpFake in recent days, and found that, unlike older versions of the malware that disguised itself as Opera Mini, this version actually downloads a copy of the mobile browser. The attackers have set up a fake Opera Mini Web site that encourages users to download the browser. Clicking on the link on the site begins the installation routine for the malware, downloading a package called "opera_mini_65.apk". 

"During installation, two sets of “Permission to Install” pages are displayed to smartphone users: (1) The first set comes from the malware itself. As you can see, it asks for read and modify rights to all SMS and MMS messages, read rights to all contacts stored on the smartphone, and modify or delete rights to the SD card, among other things," Jovi Umawing of GFI Labs wrote in an analysis of the malware. 

Once on the infected Android device, the malware will redirect the user to a legitimate download page for Opera Mini, making the installation of the malware seem more authentic. If users choose to install the browser, the actual Opera Mini browser will show up on their phone. But the malware already is working in the background.

Its first action is to send an SMS message to a premium-rate number controlled by the attackers. The infected Android also connects to a command-and-control server to retrieve instructions for the malware. Here is some of the data that the OpFake malware collects from each infected device, according to Umawing:

• • Country location
  • Operator name
  • OS version
  • Phone type
  • Device ID (IMEI)

As Umawing points out, the best idea for mobile users is to download apps only from the official app stores of the platform provider. That's easy on iPhones, because there's no real choice, but for Android users, there are a slew of alternative markets and sites that offer Android apps. It can be difficult to determine which ones are legitimate and which are malicious, so staying with the official Google Play market is the safest option.

Courtesy by Dennis Fisher

Black Hat: Phishing E-Mail Scare A False Alarm

The annual Black Hat Briefings hacker conference got off to a rocky start Sunday after thousands of registered attendees received a fishy smelling "account password reset" e-mail that contained a suspicious URL. But a message from conference organizers hours later said the errant e-mail was no phishing attack, but merely an "abuse of functionality" by a bored Black Hat volunteer.

The e-mail, with the subject line "Your admin password" was sent to around 7,500 people who have registered to attend the annual hacker confab in Las Vegas, Nevada at around 11:50 AM on Sunday.

The brief e-mail, sent from an e-mail at itn-international.com read: "This is a note from BlackHat 2012. You have requested a new password. Here are your details." That message was followed by a blank Username and Password and a URL that recipients were asked to use to sign in.

Reaction from BlackHat's notoriously security-conscious attendees was swift. Security experts used their Twitter accounts to inquire about what many assumed was a phishing e-mail or social engineering attack.

"Just got a fake pw reset email for my #blackhat account. And so it begins..." wrote Bob Lord (@boblord) of Twitter's own security team.

Just three hours later, however, conference organizers set jangled nerves to rest, acknowledging in a blog post that a volunteer tinkering with a loosely secured script on a Black Hat registration server belonging to ITN, the company handling Black Hat's registration, was responsible for sending out the e-mail blast to conference attendees.

"We have reviewed the server logs, we know the user, host, and have spoken with the volunteer who has emailed each of you this morning...The email this morning was an abuse of functionality by a volunteer who has been spoken to," wrote Black Hat general manager Trey Ford. "This feature has since been removed as a precautionary measure."

The annual Black Hat Briefings show, which takes place in Las Vegas, brings together some of the world's top hacking talent. The show is no stranger to hacks, practical jokes and legal blow-ups. Attendees connecting to conference resources using insecure laptops, Web browsers or wi-fi connections are known to be called out publicly on a giant "Wall of Sheep." Furthermore, security experts are more than happy to use the Black Hat network and conference attendees as their testbed. In 2010, for example, a security expert showed how Internet users could view the conference proceedings for free by exploiting vulnerabilities in Black Hat's web site.

Courtesy by  Paul Roberts

Mozilla, EFF Help Launch Internet Defense League, a Bat Signal for the Internet

A group of civil-liberties organizations, software companies and popular Web sites are launching a new effort called the Internet Defense League that aims to "help Internet users, organizations, and companies fight back whenever online rights are threatened." Inspired by the collaborative fight against the SOPA bill earlier this year, the new organization counts Mozilla, the EFF, WordPress and Reddit among its charter members.

The launch of the Internet Defense League is timed to coincide with the release of the newest Batman movie, which hits theatres on Friday. The goal of the organization is to be able to band together large numbers of people in a short amount of time to oppose any future SOPA-like bills that the group thinks threaten the freedom or rights of Internet users. The group is calling this idea a bat signal for the Internet.

"When the internet's in danger and we need millions of people to act, the League will ask its members to broadcast an action.  (Say, a prominent message asking everyone to call their elected leaders.)  With the combined reach of our websites and social networks, we can be massively more effective than any one organization," the IDL's site says.

"The Internet Defense League takes the tactic that killed SOPA & PIPA and turns it into a permanent force for defending the internet, and making it better. Think of it like the internet's Emergency Broadcast System, or its bat signal!"

The EFF was one of the leaders of the fights against the SOPA bill, a highly controversial measure that would have given the federal government broad powers to take down just about any site that officials decided had some copyright-infringing content on it. The bill also included a mechanism that would have enabled law enforcement to block a site in the DNS system, effectively erasing the site from the Web. Experts said that provision would've had serious consequences for the DNS system and the DNSSEC security system.

"We know that when we work together, we can protect our Internet. So, we’re joining with some of our friends from the anti-SOPA fight in creating the Internet Defense League to help Internet users, organizations, and companies fight back whenever online rights are threatened," Rainey Reitman of the EFF said.

As part of the launch, the IDL will be hosting parties in several cities, during which people will be projecting the organization's "cat signal" on tall buildings, a la the famous bat signal in the Batman movies.

Courtesy by  Dennis Fisher

More Malware Using a Remote Payload Discovered on Google Play

Symantec is warning of new malware masquerading as two apps on Google Play that claimed up to 100,000 victims before the Trojan was removed.

Both "Super Mario Bros." and "GTA 3 Moscow City" racked up 50,000 to 100,000 downloads after being posted June 24 on Google Play.

"What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," Irfan Asrar wrote in a blog post. "Our suspicion is that this was probably due to the remote payload employed by this Trojan."

Asrar last year wrote about this evasion-driven technique, in which the payload is broken into separate modules  and delivered independently, making it easier to hide and inject in other apps. In the case of this malware, called Android.Dropdialer, the first stage was posted on Google Play. Once installed, it downloaded an additional package via Dropbox called Activator.apk that sends SMS messages to a premium-rate number tied to Eastern Europe.

 

"An interesting feature of the secondary payload is that it prompts to uninstall itself after sending out the premium SMS messages—an obvious attempt at hiding the true intent of the malicious app," Asrar said.

The security researcher noted that Android Security immediately revoked the threat once it was notified.

Courtesy by Anne Saita  @Treatpost

Apple Receives NFC Patent, But Takes It Slow with Mobile Payments

Apple was granted a patent on Tuesday by the United States Patent and Trademark Office for a Near Field Communications (NFC)-enabled travel management application, furthering speculation that the company is readying mobile payment technology for future versions of its iPhone product.

The Web site Macrumors.com reports that Apple was granted a patent for a service, “iTravel” that would make use of NFC technology. The service could also help travelers mitigate some perils of air travel via their smartphone, such as paying for checked luggage, confirming reservations or checking in at the airport by allowing phones to access travelers’ information, including their photograph, fingerprint or retinal scan, to verify identities. 

NFC technology is a wireless technology that uses an embedded chip to enable two-way communication. Users can tap their devices at specialized kiosks to transfer information and remotely pay for goods and services.

The news about the new NFC-related patent raises questions about how aggressively Apple will move into the fast-evolving mobile payments space. A recent report that the Cupertino giant was letting other smart phone developers test the mobile payments waters first before developing its own technology. The Wall Street Journal last week reported that, despite trailing Google with its Google Wallet application and Microsoft with its digital wallet service, Apple was electing to take it slow, apparently deterred by security concerns.

 

“Apple employees patented some NFC ideas but worried about whether the technology was secure enough,” according to the WSJ piece, published late last week.

Although the technology has been widely adopted by Google and now Microsoft, one Apple employee claims the company’s chief financial officer Peter Oppenheimer wondered whether there was an alternative to NFC, or a “newer secure technology that employed the Internet,” according to the article.

While Apple has kept mum on its plans when it comes to mobile payments, a company’s announcement at last month’s Worldwide Developers Conference (WWDC) perpetuated that.

During the conference, Apple claimed the next iteration of its mobile operating system, iOS 6, would boast a new feature, Passbook, that can store users’ movie tickets, plane tickets and gift cards. Unlike Google and Microsoft’s e-wallets however, there was no mention of being able to link Passbook to credit cards or debit cards.

Thirty three percent of U.S. consumers have already made a payment by their mobile phone according to a survey conducted by analytics firm IDC Financial Insights this week. That number is more than double the amount of mobile payment adopters from last year. Additional research from Gartner this week anticipates the mobile payment market will exceed $600 billion globally by 2016, almost four times the $172 billion that was spent this year -- a statistic that likely factors in Apple’s emerging interest in the field.

Courtesy by  Christopher Brook  @Treatpost

Google Disputes Claim of Android Botnet

Google is disputing statements from researchers at Microsoft and Sophos who this week warned that Android devices were sending spam through compromised Yahoo Mail accounts. In response, both now say they are further investigating their earlier claims.

The idea of an international Android botnet leveraging the mobile operating system was first publicized earlier this week by Microsoft engineer Terry Zink in a blog post. He believed a new type of malware was accessing Yahoo Mail accounts on Android devices to send spam messages. He also determined from the originating IP addresses that the spam was coming from Asia, Eastern Europe, South America and the Middle East.

Chester Wisniewski, a Sophos Canada senior security engineer, also posted about the malware. "The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!'s free mail service and contain correct headers and DKIM signatures," he wrote. He believed Android users became infected by downloading pirated copies of paid Android apps that contained the Trojan.

As media outlets and bloggers began reporting on the Android botnet, Google issued a statement saying evidence did not support the researchers' findings. "Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," the company said.

 

This led Zink to admit that the spam headers could have been spoofed so they appeared they came from Android devices instead of a more conventional source. Or not.

"Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the [sic] message-ID thus overriding Yahoo’s own Message-IDs and added the 'Yahoo Mail for Android' tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices," he wrote.

"On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices."

Similarly, Sophos' Wisniewski told The Wall Street Journal today he is rechecking his findings to confirm if it's spam using a faked signature or if it is actually coming from Android devices.

Google said in its statement that it also is continuing to investigate the details.

 Courtesy by Anne Saita @threatpost