Android adware, Zitmo botnets and Romanian hackers, oh my!

Fortinet's breakdown of the hacker Yellow Brick Road, as it were, begins with adware for Android is on the rise, which places unwanted advertisements in a mobile device’s status bar, tracks users via their International Mobile Equipment Identity (IMEI) numbers and drops icons on the device’s desktop. To be sure, the percentages are still small overall (the two primary adware variants, Android/NewyearL and Android/Plankton, were detected by close to 1% of all FortiGuard monitoring systems in the APAC and EMEA regions and 4% in the Americas), but with a volume of activity comparable to infamous spam-generator Netsky.PP, it’s enough to take notice.

“The surge in Android adware can most likely be attributed to users installing on their mobile devices legitimate applications that contain the embedded adware code,” said Guillaume Lovet, senior manager of Fortinet's FortiGuard Labs Threat Response Team. “It suggests that someone or some group is making money, most likely from rogue advertising affiliate programs.”

Consumers can identify these types of applications because they require too many unnecessary permissions for a normal application, “indicating it has a hidden agenda,” said Lovet. For best practices, FortiGuard Labs recommends paying close attention to the rights asked by the application at the point of installation.

Red flags include asking permission to access parts of the device that are irrelevant to the application, like the device’s browser history and bookmarks, contact data and phone logs, identity information and system log files. And to be completely on the safe side, users should only download mobile applications that have been highly rated and reviewed.

Meanwhile, FortiGuard researchers have discovered that the Zitmo banking bug has evolved into a more complex, botnet-like threat, with new versions recently released for Android and Blackberry.

Zitmo is the notorious mobile component of the Zeus banking Trojan – discovered in June 2012 after circulating on the Symbian platform for a couple of years. The new versions for Android and Blackberry have now added botnet-like features, such as enabling cybercriminals to control the Trojan via SMS commands.

Zitmo is used by cybercriminals in tandem with the traditional Zeus keylogging malware on PCs to steal the victim’s banking credentials and ultimately their money. Zitmo is used to intercept SMS messages containing the two-factor authentication credentials that banks use to validate the identity of the account holder when logging in.

Now, there is evidence that a botnet strategy is the next wave of evolution for the virus. “The new version of Zitmo may already be in the wild in Europe and Asia," said Lovet. “While we’re detecting only a few instances of the malware in those regions, it’s leading us to believe the code is currently being tested by its authors or deployed for very specific, targeted attacks.”

On a related note, Fortinet researchers also recently found a new Android malware in the wild in France, which poses as a Flash Player installer and steals incoming SMS messages by forwarding them to a remote server. Fortinet has dubbed it Android/Fakelash.A!tr.spy.

“Contrary to many Android malware which are downloaded from underground or legitimate marketplaces, this one is propagating via a link in a SMS,” said Fortinet researcher Axelle Apvrille, in the company blog. “For example, the victim below complains he received an SMS from 10052 saying, ‘For proper function of your device, please download the new ANDROID Flash update at this link:’.”

As more banks and online merchants roll out two-factor authentication − usually through the use of an SMS code to bring the second authentication factor and confirm a transaction − Android and Blackberry users should be mindful anytime their financial institution asks them to install software onto their computing device, “as this is something banks rarely if ever request from their customers,” Lovet noted.

For complete security, FortiGuard Labs recommends conducting online banking from the original operating system CD. If that is not an option, users should at the very least install an anti-virus client on their phone and desktop PCs and make sure they are updated with the latest patches.

Meanwhile, Fortinet also has detected large scale scans for vulnerability emanating from Eastern Europe. These scans were performed through a tool developed by Romanian hackers to seek web servers running vulnerable versions of the mySQL administration software (phpMyAdmin) in order to take control of those servers.

The tool, called ZmEu, contains code strings in the payload that refers to AntiSec, the global hacking movement initiated by Anonymous and Lulzsec last year that targets banks and government departments. The scans are being performed around the world, and in September, almost 25% of FortiGuard monitoring systems were detecting at least one such scan per day.

“The goal behind an attack on this vulnerability is open to speculation,” added Lovet. “But if these hackers are indeed related to AntiSec, possible scenarios include exfiltering sensitive data, using the compromised servers as a direct denial of service (DDoS) launch base or defacing the Websites they’ve infiltrated.”

To secure Web servers against this threat, Fortinet recommends updating to the latest version of PhPMyAdmin.

What’s hot on Infosecurity Magazine?