AegisLab Security Blog - English

   Updated: 2012-May-15, we found another download site that uses another domain name but points to the same IP as mentioned in GFI's blog. Several alternative markets use these download site to serve the malware. The IP is 91.223.77.204, located in Ukraine.

    According to GFI Lab's blog titled "New Twitter Spam Run Leads to Android Rogue AV", the download site serves a Jar file or an APK file depends on user agent. Further analysis discovered, the download site also trys to serve the same APK with different file hash value each time. Remember yesterday's blog, we discovered the APK malwares in RU domain also achieve this by inserting junk files into APK. While in this case, the download site uses another way: by changing the order of useless file inside the APK, which can also lead to different file hash values.

   As the Android malware also involving to being polymorphic, the one of true challenge for Android antimalware players just begins.

By

AegisLab

   TrendMicro found a RU(Russia) domain contain fake Flash Player for Android three days ago. Further tracking the similar web sites, AegisLab found it's a systemantic malware distribution. The malware writers collabrate/setup some blogs to advertise those APP domain and dedicated web pages. The APP domains are:

hxxp://android-google-play.ru/ hxxp://sims3android.ru/
hxxp://www.fruitninjaandroid-apk.ru/
hxxp://www.flashplayerandroid-apk.ru/
hxxp://www.cuttherope-android-apk.ru/
hxxp://www.cuttherope-experiments-apk.ru/
hxxp://www.cuttherope-apk.ru/
hxxp://www.angrybirds-android-apk.ru/
hxxp://www.jellydefense.ru/
hxxp://www.templerun-android.ru/

   And all the download currently leads to hxxp://www.radeon9200.net/download1/{deleted}, note that each download, the malware download server will inject some junk files into the APK file, in order to create different hash value of the APK to fool the antimalware programs.

    Right now most of antimalware program still can identify those malicious APKs, user have to be careful before install program from untrusted sources.

By AegisLab

    Remember the Chinese security blog [2012-04-19 Fake NQ Mobile in Google Play] we published before, the same developer thasnimola issues 15+ Apps (including fake AV and fake free SMS) in Google Play again! The developer uses webkit-Appsgeyser to generate fake apps automatically. Below are what he released in Google Play and as I know the fake apps are increasing now! I wonder this guy want people to visit his page? (hxxp://ddlj.wapka.mobi/site_649.xhtml) or has any malicious intent in further?

Figure 1: The apps from thasnimola.

Figure 2: Fake AV app introduction page.

Figure 3: Redirect the traffic to this page.

Update 2012-05-11: McAfee also warns this threat today.

By AegisLab 

    We are glad to announce that the number of collected & classified URLs in our URL category service is more than 100,000,000 and grows up very quicky. With the expertise in language processing and web page modeling, we backend system can deliver high performance and better precision in web page classification. The system can handle over 58 languages right now and is also specialized in Chinese-Japanese-Korean.

 By AegisLab

  1. What's "LINE" ?

     As a fast and light messenger that provides free messaging and voice calls, LINE has been ranked no. 1 in the free app category in Japan, Singapore, Hong Kong, Taiwan, Thailand, Malaysia, Macau, Saudi Arabia, Kuwait, Bahrain, United Arab Emirates, Qatar, Jordan, Israel, Switzerland and Turkey. LINE provides FREE messenger and VoIP services on 3G and Wi-Fi networks. Users do not have to pay for these services. 

     With LINE you can:      

• Send photos as well as location info.      
• Use any of the 255 unique stickers and emoticons.
• Enjoy free messaging.
• Create or join group chat rooms with up to 100 people. 
• Make free voice calls.   

2. Why to Detect/Block "LINE"?

     In corporate environment, company always want to enforce the security policies and to supervisor the communications. For mobile devices inside corporate, they may leverage company WiFi & gateway to access the network, and in such case, the company always want to know what the traffic is. The AegisLab Application Control is a suite of signature service that can identify and control over 1,000 applications, and we also move fast to couple with the scenario that more and more mobile applications are widely used.

3. How and Which Version?

  A. Lionic Application Guard signature database can prevent the use of LINE since 25/04/2012.

  B. Application Guard can block the following versions of LINE by enabling policies in "IM/LINE" category ·          

• LINE 2.0.2 (for iPhone)·          
• LINE 2.0.9 (for Android)·          
• LINE 1.1.18.84 (for Windows)·          
• LINE 1.1.18.84 (for Mac OS X)  

4. Notes: "What's App" was already can detected & blocked. 

By AegisLab 

    In last December we had a security alert about SQL injection directs to "lilupophilupop.com", and in the January of this year we also gave a warning about 2M websites are tampered. Several months passed, the ISC SANS discovered another massive wave of SQL injection attacks as following figure.

      As previous "Lilupophilupop SQL injection" attack, it still targets to ASP, IIS and MSSQL. Now we had known lots of sites are injected whether it can lead to successful attacks or not.

      AegisLan reminds the webmasters to check your own site, or using Google to discover it. And for users, better to have antivirus software installed. For MIS or CSO, better to consider deploying malicious URL filtering solution or product in the corporate environment.

By AegisLab