We now have confirmation for what we wrote in our previous blog post: Samsung is not shipping keyloggers on their laptops.
The whole saga was caused by a false alarm of the VIPRE Antivirus product. Apparently VIPRE detects the StarLogger keylogger by searching for the existence of a directory called "SL" in the root of the Windows directory. This is a bad idea.
As an example, here's a screenshot showing VIPRE alerting on a completely clean Windows computer after an empty "SL" folder was created:
As some Samsung laptops do indeed have a folder called "C:\WINDOWS\SL" on them by default, VIPRE would alert on them with a similar warning.
Unfortunately Mohamed Hassan (CISSP) who did the original analysis did not double-check his findings and blamed Samsung instead. Apparently he did not look at the contents of the "SL" folder at all.
Network World has published an article claiming that Samsung Electronics installs Windows keyloggers on their laptops by default. This caused an uproar, as even Samsung support appeared to confirm this, saying that the commercial StarLogger keylogger is installed by default to "monitor the performance of the machine and to find out how it is being used".
All this is a bit hard to believe. F-Secure Anti-Virus detects StarLogger (as "Trojan.Generic.5223315"). So do many other antivirus vendors. We have not seen any kind of peak of StarLogger reports.
So, what to do? Well, we went to a local IT store and checked some Samsung laptops ourselves.
No, we did not find StarLogger, or any other keyloggers from the laptops we tested. These included Samsung models R540, RF710, QX310, SF510, X125, and NF310. They were all running different versions of Windows 7. Note that the list includes the Samsung R540, which was one of the laptop models mentioned in the original Network World report.
In summary, until proven otherwise, we don't believe Samsung has been installing keyloggers on their laptops by default.
"All customers start with 5 GB of free Cloud Drive storage to get started. For a limited time, get a free upgrade to 20 GB of Cloud Drive storage with an MP3 album purchase."
Wow. 5 gigabytes with a free upgrade to 20 GB? That's awesome.
I only have one huge problem with it…
Amazon's password policy is seriously lacking.
This is the message generated when somebody attempts to set their password to "password" or "123456".
Wait. What?!? Success… for password and 123456?
Well geez, at least Amazon's password policy doesn't accept "1234".
Look, Amazon has decent defenses in place to prevent somebody from hacking an account and then shipping products to a new address. For that, the attacker needs the entire credit card number and other details.
But now you've moved the product into the cloud! Shipping isn't required.
Gigabytes of online storage connected to a credit card will be a really tempting target for hackers. And because Amazon accounts are based on e-mail addresses… hackers won't even have to phish Amazon directly. They can just phish e-mail accounts and then try the same password at amazon.com.
— Another thing —
I just tried accessing my account using the wrong password more than ten times!
Just when do the brute force defenses kick-in?
I used the correct password on my 12th attempt (or so) and was then given direct access.
Listen, I really appreciate my new cloud drive.
I just don't think I'll be using it for much until you enact some better safeguards to protect it.
"…algorithmically selects and retweets some of the most interesting tweets spreading across Twitter. Enjoy!"
Well, it looks as if an adult dating spammer is gaming the system (or else Twitter really needs to tweak its top tweets algorithm):
@TopTweets recently retweeted this tweet from @CamGirlTrenity:
But more surprisingly, @TopTweets also retweeted this tweet from @SkypeCamGirls already on Saturday:
Guess nobody reported the spam over the weekend.
Hopefully Twitter will look into this soon as @TopTweets has over one million followers and we seriously doubt that they want to be exposed to sites such as getiton.com and camsexroulette.net.
Fortunately however, the links are obviously "not safe for work" (#nsfw) and relatively few people have clicked them. So perhaps most folks have just a bit more common sense than many so-called experts give them credit for?
Updated to add: Nice! Twitter has suspended both @CamGirlTrenity and @SkypeCamGirls (among others…).
Today's tweet is no longer in the @TopTweets feed and we expect that Saturday's will soon be purged as well.
According to Comodo, the registrations seemed to be coming from Tehran, Iran and they believe that because of the focus and speed of the attack, it was "state-driven".
What can you do with such a certificate?
Well, if you are a government and able to control Internet routing within your country, you can reroute all, say, Skype users to fake https://login.skype.com and collect their usernames and passwords, regardless of the SSL encryption seemingly in place. Or you can read their e-mail when they go to Yahoo, Gmail or Hotmail. Even most geeks wouldn't notice this was going on.
What about the rogue certificate for addons.mozilla.org? Initially I thought there would be no other reason than to use Firefox extensions as some sort of malware install vector. However, Eric Chien from Symantec came up with an interesting alternate theory: it could be used to block the installation of certain extensions that bypass censorship filters (thanks, Eric!) For examples of such extensions, see here and here.
As certificate revocation systems in place are far from fool proof, Microsoft has just announced that they will be shipping a Windows update that will force these rogue certificates to be moved to the local untrusted certificate store.
Updated to add: Comodo has now said the attacker gained entry to its system by obtaining the password and username of a European affiliate. Once inside, the attacker could have issued certificates to any site he wanted. Wall Street Journal has more on the breach.
Updated to add: What's the importance of a Certificate issued for "Global Trustee"? We don't know. This isn't a documented entity anywhere we could find. Our best guess at this point is that there is some hardware product from some large vendor with hardcoded support for a certificate for "Global Trustee"…
Updated to add: Iran does not have it's own CA. If they did, they wouldn't need to do any of this as they could just issue rogue certificates themselves. On Twitter, @xirfan commented on this, saying: "I work for a webhoster. Our Iranian & Syrian customers aren't allowed SSLs".
Here's a full list of root certificates stored in the Mozilla project Root CA store. It includes certificates issued by CAs in China, Israel, Bermuda, South Africa, Estonia, Romania, Slovakia, Spain, Norway, Colombia, France, Taiwan, UK, The Netherlands, Turkey, USA, Hong Kong, Japan, Hungary, Germany, and Switzerland.
Updated to add: A person or persons claiming to be "Comodo Hacker" has posted a public note on the incident. The person/people behind the post do seem to have had access to Comodo's or instantssl.it's internal systems. Whether the rest of their story is true or not, we don't know.
We detect them as Exploit.CVE-2011-0609.A and Exploit:W32/XcelDrop.F.
Another sample we've seen (md5:20ee090487ce1a670c192f9ac18c9d18) is an Excel file containing an embedded Flash object that exploits a known vulnerability (CVE-2011-0609). When the XLS file is opened, it shows an empty Excel spreadsheet and starts exploit code via a Flash object.
The Flash object starts by doing a heap-spray containing the following shellcode:
This first shellcode only loads and passes execution to a second shellcode embedded in the Excel file:
The second shellcode is responsible for decrypting and executing an EXE file (also embedded in the Excel file):
In the meantime, the Flash object constructs and loads a second Flash object in runtime:
This second Flash object is the main exploit in this malware and it exploits CVE-2011-0609 to execute the shellcode in the heap. We generically detect the Flash object as Exploit.CVE-2011-0609.A.
As an aside: the main exploit appears to have been delivered in this fashion in an attempt to evade detection. As it is loaded in memory, no physical file is available for scanning by an antivirus engine. Embedding the Flash object that loads the main exploit in an Excel file may be an attempt to further disguise the attack.
Fortunately, the malicious Excel file and its embedded EXE file are detected as Exploit.D-Encrypted.Gen and Trojan.Agent.ARKJ, respectively.
Still, users should update their Flash player as Adobe has already released a patch for this particular vulnerability. For more information, please see their security advisory for CVE-2011-0609.
Chuck Norris kicks ass. We all know that. Malware authors know this too.
In fact, we've seen multiple worms and trojans over the years that make references to Chuck Norris. Probably the best example is the Chuck Norris Router Worm from last year.
While browsing through incoming malware, we noticed this little fellow (md5 66b06adc178d17a7b42301e845eed84d). A botnet client, capable of taking over the computer and allowing full remote access to the infected system.
As usual, it requires a server to connect to. Name of the server? chucknorris.zapto.org. The bot also registers itself in registry under hkcu\software\chuck norris. We detect it as Backdoor:W32/Spyrat.D. Here's a description.
We looked this a bit deeper and it turns out to be generated with a tool called "CyberGate". Here's what the CyberGate control panel looks like.
We want to issue a correction to a blog post we did in January.
While blogging about phishing attacks against EU CO2 Emission Trading Systems, we provided several examples of real phishing e-mails and phishing sites. However, we also mentioned a company called European Climate Registry (europeanclimateregistry.eu).
There were two reasons why we singled this company out. First, the EU had warned about European Climate Registry publicly as it is "not connected to European Commission". However, a company does not need to be connected to the EC if it wants to offer an alternative trading platform for trading carbon-related products.
Second, moreover, the domain europeanclimateregistry.eu looked suspicious to us, as standard WHOIS services listed the registrant information as "NOT DISCLOSED!". We later realized that EURid lists all .EU domain registrants as "NOT DISCLOSED!". You can only query the registrant information via EURids own web form. Thus, our information that the domain was registered with a domain privacy system was incorrect. We have no reason to conclude that European Climate Registry is involved in any wrongdoing.
Our Threat Research team just completed some interesting analysis of a new Man-in-the-mobile (Mitmo) Symbian trojan (designed to steal mTANs), and what's particularly interesting about this variant is that it appears to be a component of SpyEye.
ZeuS and SpyEye recently merged — Krebs on Security has details.
This new version of Mitmo was discovered by a partner a couple of weeks ago (somewhere in Europe…).
The technique used by SpyEye Mitmo to circumvent Symbian's signing requirement — was to use a developer certificate issued by OPDA in China.
The fields injected into a SpyEye Mitmo compromised online banking session include a request for the user's phone IMEI. Once SpyEye had the IMEI, it was added to the list embedded within its certificate, and so, the phone's user installed "self-signed" software and bypassed security prompts. Nokia has taken probationary actions against OPDA to prevent further abuse of their services.
We'll have further analysis available tomorrow.
Researchers can contact us over the usual channels to obtain the sample.
Facebook recently announced a major overall of their comments system. The new changes will allow Facebook users to comment on third-party websites using their profiles. Supporters of the new system hope that it will help in combating Internet trolls and comment spam because Facebook accounts typically use real names. Critics of the system argue that it's a threat to free speech.
A number of critics have cited this quote by Mark Zuckerberg, from The Facebook Effect: "You have one identity. The days of you having a different image for your work friends or co-workers and for the other people you know are probably coming to an end pretty quickly … Having two identities for yourself is an example of a lack of integrity."
Reactions among social activists have not been positive. But really, why? Is having only one identity really such a strange concept?
Other than The Batman, who really needs more than one identity?
I only have one identity. I also have an alias on Twitter, @FSLabsAdvisor, and you can probably tell based on its name, it's a work related account and primarily reflects my work persona as a public spokesperson of F-Secure. It's directly connected to my identity, but only represents a particular side of my personality.
I have multiple aliases on the Internet, a couple of them are anonymous, but I only need one identity.
Maintaining identity, privacy and integrity on the Internet can be a tricky thing — take Sarah Palin for example. About three weeks ago, Jack Stuef at Wonkette wrote that Palin maintained a personal Facebook account using the name "Lou Sarah". (Palin's middle name is Louise.) Stuef's take on the story was that Palin had a "secret" account to praise her "Sarah Palin" account. And he doesn't seem to take her Lou Sarah account as a sign of great integrity.
It was quite a good catch, but Stuef didn't get it entirely right. The Sarah Palin account is not a "profile". It is a special type of hybrid "page" for celebrities that behaves as a profile. But it's really just a page and part of Sarah Palin's personal brand. It's very likely that the page is entirely administered by her public relations team.
A lot of people wanting to manage their privacy create anonymous Facebook accounts. Many people clearly want aliases. I suspect that a great deal of the backlash directed at Zuckerberg is due to the fact that having multiple accounts per individual is a violation of Facebook's Terms of Service, and Zuck says stuff that makes them sound like criminals.
I think some of the backlash is deserved.
Facebook's corporate line is that you should only friend people that you actually know. But Facebook makes a lot of money from partnerships with social game companies such as Zynga. Social gaming is a form of casual gaming, and casual gaming encourages the formation of casual friendships. Facebook profits are in part driven by the formation of casual friendships.
You can't have your cake and eat it too.
I've seen lots of examples where people have created secondary accounts to play Facebook games with "virtual" friends. As long as Facebook profits from casual friendships, they need to find a way to better protect their users' privacy. Facebook needs to step up and offer users some sort of aliases, or else they need adjust their TOS.
I'm not holding my breath.
But how about Facebook's new commenting system?
Is it the death of anonymity and free speech?
Probably not. There's a "backdoor" method which is already being used to comment anonymously.
TechCrunch buried this lead in their initial story: "Incidentally, it's also now possible to leave a comment on an external site as a Facebook Page, which means we could see brands use Facebook to leave 'official' comments on blog posts."
So here's an example of what you can do — create a fictional character.
My character is named "Jaajo Jantteri". And I hold the copyright so I'm in full compliance with Facebook's Page Terms.
Next, visit a site testing the new comments, such as TechCrunch. Select the alias of your choice.
Now we just need to hope that trolls and spammers won't want to do the same.
But hey, if Facebook wants to move the battleground within their walled garden, I say, let them.
The beta version of our Mac OSX software, F-Secure Mac Protection, had a serious false alarm last night.
Database update 2011-03-14_03 caused several false alarms in clean files with detection names such as Exploit:W32/NeosploitPDF.gen!A and Exploit:JS/Brooks.gen!A. The problematic update was removed after two hours. Beta users who received the update have seen some of their clean files moved to Trash.
This problem only affected users of our Mac OSX beta version (Technology Preview). Our Windows and Linux products were not affected in any way.
We're soon going to release a script that will restore the files from Trash back to their original locations. If you were affected by this issue, please do not empty your Trash in the meantime. See our forum for discussion.
Obviously this is not nice. We'd like to apologize to anyone affected by this error of ours.
Updated to add: We have now released a tool that will restore the files back to their original locations. You can download the tool from here.
So, I went to Pakistan, traveled to Lahore, and took a taxi to the address found 25 years ago in the boot sector of the first PC virus. I found the address and knocked on the door. The creators of the first PC virus opened it.
The final result of this trip is now viewable as a 10 minute short film. You can see the film on our Brain mini-site, which also has lots of "behind-the-scenes" material about the trip.
An 8.9-magnitude earthquake has occurred off the north-eastern coast of Japan and a tsunami causing major damage has followed. Naturally, people want to know more, and so they turn to the Web and search for news. And the first place many turn is Google.
As a result, several of Google's home pages now include the following alert:
We've stumbled upon another phishing attempt. This time it was targeted towards Maybank's (one of the main banks in Malaysia) "lucky" customers. The typical method is implemented, i.e., pretending to be someone of authority and then requesting the customers to verify their account, and even reminding them to include the Transaction Authorization Code as well.
Further investigation revealed that this e-mail is originated from a spam server, and that's all we could find. Every other track has been carefully hidden.
While phishing attempts are not something new, phishing activities around developing countries seem to be on the rise recently. Have the groups responsible for the earlier activities shifted their focus to a new market? Perhaps they realized that phishy links have better chance to slip through and escape from being detected if they are localized. Add that with the fact that customers in the area are probably only recently acquainted with online banking, thus, could easily fall prey to sophisticated social engineering method.
Whatever the reason is, those scammers only have one intention — to get hold of valuable information that translates to financial gain. Tools such as our free Browsing Protection portal can help to protect users from going to dangerous sites, but the best practice is to take charge of one's own safety. Users need to be aware of the tricks usually implemented by those with ill intention to avoid falling into the trap.
A trojanized version of the tool has also emerged (we detect it as Trojan:Android/Bgserv.A). Interesting preliminary analysis of the trojan is available in Symantec's blog.
You can see the difference by checking the application info of the authentic versus trojanized versions:
Android Market Security Tool:
Here's a screenshot of the content/package itself:
Once installed, Trojan:Android/Bgserv.A obtains the user's phone information such as IMEI and the phone number. The information is uploaded to http://www.youlubg.com:81/Coop/request3.php.
Again, this malware appears to be specific to a mainland Chinese network, as it contacts the number 10086 (related to China Mobile Net) and uses the new APN with the name "cmnet" inserted in the APN list.
This malware may lead to high data usage on the infected device, leaving the user with a high phone bill.
Interesting note: the malicious code doesn't seem to be restricted only to the Android Market Security Tool; the same behavior also appears in other Android applications, according to AegisLab's blog.
Inside the HQ, the protesters gained access to loads of confidential state documents.
Among them was a document that is highly relevant to computer security: an offer for a product called FinFisher sent to the Egypt State Security Investigation Department.
Note: we can't confirm the origin of this document. We got it from Mostafa Hussein. You can download the full document from here. [PDF, 1.3MB]
FinFisher seems to be an Intrusion and Spying software framework, developed and sold by a German company. It seems to include multiple components, including an "infection proxy" and various intrusion tools.
We don't know if Egypt State Security purchased the tool or not. We don't know if they were using it to spy on their own citizens. We don't know who else could be using it.
The obvious question here is: do we detect FinFisher? And the answer is: we don't know, as we don't have a sample at hand we could use to confirm this.
The obvious follow-up question is: if somebody gets us a known copy of FinFisher, would we knowingly add detection for it? And the answer is: yes we would.
We are in the business of selling protection. We're selling products to protect our customers from attack programs — regardless of the source of such programs.
It's easy to imagine a case where our customer would be innocent of any wrongdoing, but would be suspected for a crime he didn't commit. In such a situation he would have full expectation of his antivirus protecting him against trojans, even if those trojans would be coming from the government. This would be even more relevant if the customer lives in a totalitarian state. Like some of our customers do.
It's perfectly possible that we have already received a sample of FinFisher or some similar tools from our customers. However, if that has happened we have been unable to distinguish them from "normal" criminal trojans. We don't have any known government intrusion tools in our possession.
We've never received a request from any police force or intelligence organization anywhere in the world, asking not to detect their trojans. If they use trojans, they do not submit them to us.
And even if an official would contact us, asking not to detect their trojan, we would follow our guideline on this, published years ago in 2001. Please see our public statement on this very topic.
It would be a slippery slope to stop detecting government trojans. If the USA's government would ask us not to detect something and we would do it, then what? Should we avoid detecting hacking software used by governments… of which country? Germany? UK? Israel? Egypt? Iran?
We blogged about this case in April 2010, when this trojan was being widely distributed. It would lock infected computers, showing a list of copyright infringements found from the system. It would not unlock the system unless you used your credit card to pay "fines".
E-mails leaked to Krebs show that ChronoPay was directly involved with the scam. Even the topic of the e-mail shown below is titled "icpp-online.com Fraud Rate".
He has been convicted today in London and received four years in prison. In the same sentencing, two other males and two females were convicted to jail sentences ranging from 18 months to four years and to community service.
Scotland Yard's release follows:
A group of young internet fraudsters who set up an online 'criminal forum' which traded unlawfully obtained credit card details and tools to commit computer offences have today been jailed for a total of 15.5 years.
[A] Gary Paul Kelly (14.04.89 - 21 yrs) unemployed of Clively Avenue, Clifton, Swinton, Manchester;
[B] Nicholas Webber (10.10.91 - 19 yrs) a student of Cavendish Road, Southsea;
[C] Ryan Thomas (8.7.92 - 18 yrs) a web designer of Howard Road, Seer Green, Beaconsfield, Herts;
[D] Shakira Ricardo (14.11.89 - 21 yrs) unemployed of Flat 13, J Shed, Kings Road, Swansea SA1;
were sentenced today (Wednesday 2 March) for computer misuse and fraud offences following a two-day Newton Hearing at Southwark Crown Court. All pleaded guilty at earlier hearings.
+ [E] Samantha Worley (30.09.88 - 22 yrs) unemployed of Flat 13, J Shed, Kings Road, Swansea SA1 was sentenced on 14 December 2010 to 200 community service for acquiring criminal property.
The gang are believed to have been responsible for the largest English-language online cyber crime forum and were all arrested on various dates in 2009 and 2010, following a complex investigation by officers the Metropolitan Police Serviceâ€™s Police Central e-Crime Unit (PCeU).
During an eleven month investigation detectives uncovered evidence that the defendants were directly involved in the global forum (used by over 8,000 members) which promoted and facilitated the electronic theft of personal information; credit and debit card fraud; buying and selling of personal information (including passwords and PIN numbers); the creation and exchange of malicious computer programs (malware); the establishment and maintenance of networks of infected personal computers (BotNets);and tutorials offering advice on how to commit such offences, including how to evade and frustrate law enforcement activity and the exchange of details of vulnerable commercial sites and servers.
Founder of the forum was Webber. Having established a web site named 'www.GhostMarket.net', he acted as "administrator" and had overall control of the site (meaning he was able to allow/ban members, remove or edit their posts, and alter their status on the forum.)
An examination of the rebuilt forum and its database revealed many thousands of data entries relating to individuals' personal details including names, dates of birth, bank details, passwords, paypal accounts and social security numbers. Site members are believed to have traded in compromised databases containing thousands of personal details including bank account numbers, PIN numbers, passwords and malware including the Zeus Trojan and other types of criminal software, including credit card verification programs.
The forum included such topics as: 'Phishing kits (post free phishing kits and sell them)'; 'Show off (show us your skills here)'; 'Tutorials (post some useful info here)'; and 'Cardable (post sites you've carded here)'. There was also advice and tutorials on various methods of evading law enforcement, how to encode blank plastic with credit card data, and how to hack into sites, and even recipes for controlled drugs (crystal meth) and a tutorial on bomb making.
Members of the site communicated anonymously by the use of screen nicknames. They were able to post messages in various forum topics on the website and send/receive private secure messages to/from other site members.
During the investigation detectives recovered from the defendantsâ€™ computers more than 130,000 compromised credit card numbers, which at an estimated industry loss of Â£120 per card, is a potential Â£15.8 million financial loss in relation to card numbers alone.
On 3 November 2009 detectives arrested Kelly after executing a search warrant at his home address. A full search of the property was conducted, with a number of computers and mobile phones removed from the address for examination.
It was established that Kelly had independently constructed and distributed across the web a sophisticated Zeus malicious computer programme which enabled him to infect and compromise over 15,000 computers in over 150 countries, harvesting from them over 4 million lines of data including huge quantities of credit card numbers and other confidential, personal information.
Having been provided with relevant passwords by Kelly, detectives were able to rebuild the GhostMarket forum and its database using files from his PC.
Prior to this, on 12 October Webber and Thomas were arrested at a five star central London hotel for using stolen credit card details to pay for accommodation in the penthouse suite. They claimed to have responded to an online advert, saying they had paid money to an anonymous individual.
Bailed to return whilst officers conducted further inquiries, items including their laptops were seized. In addition they were found to be in possession of business cards brandishing the 'GhostMarket' logo, advertising it as "A new era in virtual marketing" with the byline "I'm a carder, ask about me..."
The duo's involvement in the 'GhostMarket' criminal forum was soon established and inquiries were made to trace them after they fail to return on bail in relation to the stolen credit card offence.
It was later discovered that on 31 October the pair had flown out to Palma, Majorca, where they had been living in a rented flat in Port D'andrax.
On 29 January 2010 they were arrested at Gatwick Airport as they flew in from Palma.
The following day a search of Webber's home address revealed a computer containing a series of files outlining a step-by-step guide to committing various criminal offences.
Owing to the volume of evidence to be examined and the complexities of the case, the pair were released on police bail to return at a later date.
Officers subsequently travelled to Spain and, accompanied by Spanish Police, attended the flat Thomas and Webber had rented out. The property was empty, but local enquiries established that the contents had been posted back to their UK addresses.
Those items, as well as additional computer equipment, were subsequently recovered.
Through the forensic examination of seized computers and other digital storage devices, as well as evidence secured through the rebuilt Ghostmarket site, officers identified Ricardo, a trusted member of the forum, and she was traced to Swansea, South Wales. Initially joining the site as a complete novice, over time Ricardo had progressed to become directly engaged in card fraud and computer malware activity.
Financial enquiries identified a payment made from Ricardo into her partner Worley's bank account, incriminating her in the fraud.
Detective Inspector Colin Wetherill, Police Central eCrime Unit said: "These defendants were accomplished cyber criminals, engaged in the systematic mass infection of computers in homes and businesses in the UK and overseas.
"They unlawfully harvested personal and financial information from their victims to be exploited for financial gain.
"The GhostMarket crime forum was used by thousands of computer criminals and fraudsters operating worldwide.
"Through it the defendants built an extensive criminal network to facilitate the wholesale trade of compromised credit card details, confidential financial and personal information, malicious computer programmes, and other sophisticated tools and criminal services.
"The arrest, prosecution and conviction of these individuals represents a significant step forward in our efforts to tackle cyber crime and reduce the harm it causes."
+ A full financial investigation into all four defendants is underway.
Recent reports on trojanized applications being found on the official Android Market just came to our attention (via Androidpolice.com and Reddit).
The malicious applications were uploaded using various developer names. A full listing of the applications involved appear here: http://pastebin.com/Ue8TfLgE.
According to the androidpolice.com report, on checking out one of the malicious applications, it contains a known exploit "rageagainstthecage" for gaining root access. This exploit is known to work on Android 2.2 and below.
The original androidpolice.com report indicated the malicious applications have already been pulled from Android Market — which is great news for users who haven't yet unwittingly downloaded the malware.
Users who have already done so may still need to wait for Google to remotely remove these apps — or remove them manually.
We'll continue to monitor the situation. We're also looking for samples of these trojanized applications for further analysis. If you have one of the malicious samples, you might consider sending it to our Sample Analysis System.
Edited to add: The pastebin link is no longer valid. Mashable and other news outlets are publishing the list.
A Chinese version of the "Steamy Window" application for Android was recently found repackaged with a malicious routine (Symantec has a good post on it). It appears the malware creator(s) favor this application, as they have already come out with a new variant, which is detected as Trojan:Android/Pjapps.B.
A quick look at this variant shows that the malicious functionalities remain mostly the same, including sending SMS, installing an application, adding bookmarks, and receiving commands from a C&C server.
Here are some screenshots comparing Trojan:Android/Pjapps.A and Trojan:Android/Pjapps.B:
And here's a quick view of the code for both variants, showing clearly enough that Pjapps.A (left) is the original version, with Pjapps.B (right) being "version 2":
Perhaps the most visible change seen is that the new version "automatically starts at boot".
This is hardly the first trojanized Android app we've seen (Trojan:Android/Adrd.A). Still, it's one more sign that Android malware is on the rise and maybe not too surprisingly, the focal point for it seems to be China.
Our Android product detects these two variants with the latest database update.