NEWS FROM THE LAB - December 2011


Thursday, December 29, 2011

440,783 "Silent SMS" Used to Track German Suspects in 2010 Posted by Sean @ 18:47 GMT

The 28th Chaos Communication Congress (28C3) is currently underway in Berlin and on Tuesday, researcher Karsten Nohl gave a presentation called: Defending mobile phones. If you have an hour, it's worth watching.

Initial press reports focused on Nohl's revelation that hackers can potentially sniff numerous phone IDs and network authentications from an advantageous point, and because network authentications aren't frequently refreshed (depending on the network operator), an attacker could make expensive premium rate calls and bill them to other persons. GSM network specifications allow for every network action to be re-authenticated, but that requires serious investment in authentication servers. So operators may only do it every third call. Or tenth. Or perhaps only when the phone connects to the network.

The H Security has a good summary overview of all the topics covered during the presentation.

But one of the most interesting things, from our point of view, was Nohl's brief reference to recent reports (Dec. 13th) about various German police authorities having used nearly half a million "Silent SMS" to track suspects in 2010.

So we did a web search and found nothing about it in the English language press. However, Wikipedia's SMS entry has (had) this:

     Silent messages, often called silent SMS, stealth SMS, or stealthy ping, will not show up on the display, neither
     is there an acoustical signal when they are received. However, at the mobile provider some data is created
     (for example, the subscriber identification IMSI). This kind of message is sent especially by the police to locate
     a person or to create a complete movement profile of a person. In Germany in the year 2010, nearly half a
     million "silent SMSs" were sent by the federal police, the customs, and the secret service "Office for Protection
     of the Constitution."

We followed the referenced link to this Heise Online article. The title translates as: Customs, Federal Police and Protection of the Constitution in 2010 sent more than 440,000 "silent SMS".

Hmm, Germany's Customs Enforcement. Those were the folks that used the R2D2 backdoor a.k.a. "0zapftis".

Using Google Translate and Google News, we were able to locate more German language articles using "stille SMS".

The Federal Ministry of the Interior provided details on December 6th. (PDF)

In the screenshot below, you can see the number of messages sent by three authorities since 2006.

Andrej Hunko Report

So what exactly does this mean?

Well, basically, various German law enforcement agencies have been "pinging" mobile phones. Such pings only reply whether or not the targeted resource is online or not, just like an IP network ping from a computer would.

But then after making their pings, the agencies have been requesting network logs from mobile network operators. The logs don't reveal information from the mobile phones themselves, but they can be used to locate the cell towers through which the pings traveled. And thus, can be used to track the mobile targeted.

Requesting such network logs was a legal gray area until 2007, when Germany amended its telecommunications surveillance act.

And now we are left to wonder, just how many other countries consider this type of tracking to be a gray area?


New Year's Wishes - with Side Order of Data Harvesting Posted by ThreatSolutions @ 10:12 GMT

It's almost the end of 2011. What with Christmas recently passed, and the New Year coming up, there's naturally a lot of well wishes and holiday greetings being messaged around. Looks like somebody's decided to join in (a little late) — and also do a bit of data harvesting at the same time.

Spyware:Android/AdBoo.A appears to be one of those programs that lets you send witty/sweet/funny messages to your contacts. On execution, it displays a list of text messages that fall into different categories: new year wishes, friendship, love and jokes:

AdBoo text

When the user selects one of these messages, the app prompts a dialog box asking for the next action: Contact, Edit or Cancel:

AdBoo message

If Contact is chosen, the app tries to read the stored contact data. Presumably, it needs to know to whom to send the message:

AdBoo choices

During our initial analysis, because the test phone didn't have any stored contacts, the app didn't retrieve anything at this point.

However, when AdBoo was retested with (bogus) contacts present, no text message was sent then either — AdBoo only produces a dialog box with the message "Sending fail":

AdBoo sending fail

We noticed that the app did do something else though. On selecting the Contacts options, it silently obtained the following information from the device:

1) Phone Model
2) Android Version
3) Phone number
4) International Mobile Equipment Identity (IMEI) number

The harvested details are then forwarded to remote server.

Incidentally, looking at the certificate for this variant of AdBoo, it appears to be from the same developer as Zsone.A:


AdBoo SHA1


Zsone SHA1

Threat Solutions post by — Irene


Wednesday, December 28, 2011

Suo Anteeksi: Polite Variant of ZeuS Posted by ThreatResearch @ 15:45 GMT

There's a run of ZeuS (aka Zbot) trojans currently targeting several Finnish banks. And naturally, our Threat Research team has been working on related cases. Interestingly, they've discovered some new ZeuS functionality that hints of SpyEye.

This version of ZeuS 2.x (Zbot.AVRC) has two new commands it will accept: user_activate_imodule and user_restart_imodule.

Zbot.AVRC Commands
SHA1: bf4fc1fb3bf98e1e783fb974f0b3ba622cd4b267

When it receives the command user_activate_imodule, Zbot.AVRC will start a thread that attempts to load a certain DLL from disk, and if the DLL does not exists, it will be downloaded from a remote server. The trojan then fetches the addresses for three different functions that are exported by the DLL: TakeBotGuid, Init, and Start. The DLL is then started by creating a thread that runs code from the DLL.

User_restart_imodule simply calls the function named "Start" from the loaded DLL.

It is interesting to see that the names of the functions used from the loaded DLL are the same as those being used by SpyEye trojan components. The names of commands related to this could also be interpreted to refer to SpyEye (imodule = eyemodule?).

The full list of commands for this variant of ZeuS/Zbot.AVRC:

  •  os_shutdown
  •  os_reboot
  •  bot_uninstall
  •  bot_update
  •  bot_bc_add
  •  bot_bc_remove
  •  bot_httpinject_disable
  •  bot_httpinject_enable
  •  fs_path_get
  •  fs_search_add
  •  fs_search_remove
  •  user_destroy
  •  user_logoff
  •  user_execute
  •  user_cookies_get
  •  user_cookies_remove
  •  user_certs_get
  •  user_certs_remove
  •  user_url_block
  •  user_url_unblock
  •  user_homepage_set
  •  user_flashplayer_get
  •  user_flashplayer_remove
  •  user_activate_imodule
  •  user_restart_imodule

He who has seen more than his fair share of ZeuS bots, sorry for him, will notice that two often seen commands are not present; namely the commands for stealing passwords stored to FTP (user_ftpclients_get) and e-mail clients (user_emailclients_get).

Another notable detail of this ZeuS run is the quality of the Finnish used.

Here's an example:

Zbot.AVRC Error Message

After a customer has started their banking session, they'll be prompted by this message:

"Suo anteeksi, teknillinen palvelu tietää virheestä ja korjaa sitä."

This basically translates to something such as: we're sorry, there's an error and we're working to fix it.

And while the grammar is really rather good, the tone is a bit… odd. Native Finnish speakers say that the sentence sounds something like "we beg your pardon, but there has been as error" et cetera. It's a little too polite for an error message.

We speculate the bank trojan gang outsourced their localization to professional translators, but didn't provide quite enough context.

Analysis by — Mikko ja Mikko


Trojan:Android/FakeNotify Gets Updated Posted by ThreatSolutions @ 09:08 GMT

Earlier this month, we did a post about a family of premium rate SMS Trojans, which we detected as Trojan:Android/FakeNotify.A. Now we've found that the trojan has been updated, with changes to make analysis and detection more troublesome.

The new version comes from the same developer, as can be seen from the signing certificate. There's no change in the trojan's overall behavior, but the coding approach has changed significantly enough to foil static analysis tools and such.

For example, while analyzing, I compared the SMS sending routine from both the original and the current versions, and observed a change from the earlier simpler coding approach to a more dynamic one.

In the original version of FakeNotify, the routine was implemented in a straightforward manner that makes it is very easy to "read" what it does:

FakeNotify, original send

The new version however takes advantage of the Reflection/Dynamic Invocation feature in the Java language to accomplish the same purpose, while making it harder for analysts to "read" the code.

The developer even goes one step further by obfuscating the string arguments with their own encoding/decoding algorithm (though this is just a simple substitution-like cipher). You can see the encoded form below:

FakeNotify, update encoded
FakeNotify.B, SHA1: df866cf4312cf9c929a9a7dc384eebb19d2b2c2d

The change in coding approach could easily defeat most static analysis tools.

Side note: during analysis, I suddenly realized the similarity between Windows LoadLibrary and GetProcAddress combo API functions and some features of Java Reflection. When it comes to dynamic retrieval of other API function addresses (Windows) and classes or method object handles (Java), both will allow the developer to call or invoke a recently acquired method or function.

Anyway, let's go back to Android world. To ease analysis of the new FakeNotify version, I created a simple Python script to replace instances of obfuscated strings with the plaintext ones of all the decompiled Java sources of the malicious application.

After the patching, it became clearer that the SMS sending routine obtains the handle to the class SmsManager and its getDefault method/function, which subsequently needs to be invoked/called or properly initialized in order to use the SmsManager class's sendTextMessage function:

FakeNotify, update decoded

Granted, this is hardly the first time I've seen the Java Reflection feature being used by Android malware, and the string obfuscation is not complex. It is however a pretty clear example of how Android malware developers are continuously adapting and upgrading their techniques to keep their "products" fresh and undetected.

Threat Solutions post by — Jessie


Tuesday, December 27, 2011

Anonymous Anonymous Claims Anonymous is Not Anonymous Posted by Sean @ 16:22 GMT

You've probably heard about the hack by now. Anonymous claimed responsibility.

Then Anonymous denied being responsible.

But then today, "Anonymous" claimed that the earlier anonymously posted pastebin post wasn't Anonymous, but was really Stratfor employees claiming to be Anonymous.

Wait… doesn't Anonymous claim that "we are all Anonymous"? If that's true, then maybe it was Anonymous after all.

Does anybody care anymore?

Appears the public doesn't. Google's instant results for "anonymous is" and "anonymous are" contain few compliments for the group.

In other news: Anonymous promised another data dump today.

Pending denials by Anonymous of course.


Failed Android Premium Rate SMS Trojan Posted by ThreatSolutions @ 10:13 GMT

We've found Android trojans that attempt to send SMS messages to premium rate SMS numbers. That's not unusual. What is different though is that these trojans don't work.

The trojans (detected as Trojan:Android/RuFailedSMS.A) use these permissions:

RuFailedSMS, permissions

And pretend to be installers for a range of applications, with each malicious app offering to download a package (of what is presumably a popular app):

RuFailedSMS, main UI

Some of the "offered" applications include:

  •  Add_It_Up
  •  Advanced_Launcher_Lite
  •  AmazingMaze_supLitesup
  •  Analog_Clock_Collection
  •  Animal_Sudoku
  •  AnySoftKeyboard
  •  AnySoftKeyboard_Slovak_Language_Pack
  •  AppInventor_Toggle
  •  Arrow_Caz
  •  Astronomical_Flashlight
  •  BentoCam!
  •  Bimaru_-_Battleship_Sudoku
  •  BlackJack
  •  Carve_a_Pumpkin_supLitesup
  •  Chinese_Chess
  •  Christmas_Ringtones
  •  Coloring_pages
  •  Contact_Finder_supLitesup
  •  Converter
  •  Countdown_Widget
  •  Crayon_Ball
  •  Cyan_aHome_Theme

Fortunately, due to some uncaught exception in the code, the trojan (SHA1: 0d2d3317c6ca1a9812d357741f45af6bb360d89c) doesn't complete its malicious activities — it just crashes and terminates:

RuFailedSMS, crashed

We've found over a hundred copies of the trojans, but the large number doesn't make it technically advanced — the copies basically use the same source code, but just re-shuffled into different configurations for the different packages.

The trojans were found on third-party Android markets and targets users in Russia, Belarus, Kazakhstan and Azerbaijan.

Even though these trojans crash and fail, we are still detecting them due to the malicious routines, and also because of large number of copies circulating.

Threat Solutions post by — Jessie


Monday, December 26, 2011

About Anonymous, Donations and Charities Posted by Mikko @ 08:03 GMT

Members of the Anonymous collective announced during Christmas that they had broken into

STRATFOR is an organization that gathers open source intelligence for forecasting purposes. Their publications are sold via As far as we can tell, Anonymous gained access to a subscriber list stored on, and that list contained unencrypted credit card data.

Anonymous has now published three lists of credit card details belonging to people who have subscribed to STRATFOR reports. The lists contained 3956, 13191 and 30726 card details, respectively. These card details belong to subscribers all over the world.


After the credit card leaks, various members of Anonymous have published screenshots where these credit cards have been used to make sizable donations to various charities. The charities have included Red Cross, CARE, Save The Children and the African Child Foundation.



At the first glance, actions like this look a bit like the actions of Robin Hood — steal from the rich, give to the poor.

But unfortunately, in this case the poor won't get a dime.

These anonymous donations will never reach the ones in need. And in fact, these actions will just end up hurting the charities, not helping them.

When credit card owners see unauthorized charges on their cards, they report them to their bank or credit card company. Credit card companies will do a chargeback to the charities, which will have to return the money. In some cases, charities could be hit with with penalties. At the very least, they will lose time and money in handling the chargebacks.

Merry Christmas.


Friday, December 23, 2011

Java Exploit on Amnesty International's UK Site Posted by Sean @ 12:57 GMT

'Tis the season for giving. And anybody visiting Amnesty International's UK website could currently end up with the gift of a keylogger courtesy a Java exploit. Brian Krebs has written about it on his blog: Krebs on Security.

Krebs on Security

Amnesty's UK site was hacked to include an iframe linking to a Brazilian server, which hosts a CVE-2011-3544 based Java Exploit.

Our browsing protection is now blocking Amnesty's site. We've been blocking the .br site for several days already. We detect, and there's fairly good AV industry coverage on, both the Java exploit and the trojan it drops.

Read the full details from Krebs, linked above. And stay safe.

As Mikko noted in his post yesterday, if you don't need Java SE, why have it installed?

Here's what a Java-free browser will display when it comes across a Java exploit:

An additional plug-in is required to display some elements on this page.

"An additional plug-in is required to display some elements on this page."

That's one element you really don't want.


Impostor Apps in the Android Market Posted by ThreatSolutions @ 09:51 GMT

There seems to be a growing practice where malware authors boldly use similar package names and icons of popular apps for their malware, and then publish this malware on the official Android Market. Unsuspecting users might download this malware under the false pretense that they are getting the free/lite version of a legit app.

Similar to the practice employed by Logastrod and Miriada Production, Eldar Limited published its malware disguised as the free version of Cut the Rope and Assassin's Creed apps. The only problem is that, a simple search on the Android Market doesn't return any results for the free version of Cut the Rope. Perhaps, the free version simply doesn't exist for the Android platform but there is a free Cut the Rope Lite for iOS. This is where users might get confused and fall prey to this tactic.

Eldar Limited, Android Market

Google's app police managed to detect this fraud and quickly removed it from the Android Market. While the apps are still listed on AppBrain and AndroidZoom, the links will direct users back to the official Android Market where they have already been removed.

EldarLimited, AppBrain

EldarLimited, AndroidZoom

A useful tip for users out there is to search for the paid version of the app and take note of the developer's name. If the name on both paid and free versions matches, then it is very likely to be a safe app. Otherwise, don't proceed with the download.


Thursday, December 22, 2011

Java Considered Harmful Posted by Mikko @ 08:31 GMT

Do you need Java in your web browser? Seriously, do you? If not, get rid of it.

Turns out, most users don't need Java any more, yet people keep running it.

Do not confuse Java with JavaScript: it's hard to use the web without JavaScript. But JavaScript has nothing to do with Java.

The risks of Java are nicely illustrated by the recent Java Rhino vulnerability (aka CVE-2011-3544). If you're running Java, but not the latest version, you're vulnerable. So either you have to check at all times that you have the latest version of Java — or get rid of it altogether.

And the Java Rhino vulnerability is not theoretical: the most common exploit kits have incorporated this vulnerability in their default exploits, and it seems to be working very well for the online criminals.

Here's a sample screenshot from a Blackhole exploit kit control panel. In this picture we can see 16,144 computers which were taken over with the CVE-2011-3544 vulnerability.

Blackhole exploit kit

So, ditch Java if you can. It might not be as painful as you think, as Larry Seltzer found out when he tried it.

Do you need Java for a specific web application? Such as an online bank or an intranet app? Leave Java on your system but remove the Java plugin from your daily browser. Then use another browser that you use only for this one service.

Also note that Chrome has been doing a good job in sandboxing or otherwise securing risky add-ons and extensions. Many Java exploits do not work against Chrome. Also, Chrome does not use an Adobe Reader plugin to render PDF files. This is good news, as Chrome is quickly becoming the most common browser on the planet.



Wednesday, December 21, 2011

Dead Software Walking: Update Now! Posted by Sean @ 12:36 GMT

Some of our legacy software is approaching its end-of-life (EOL).

Leatherman Wave, because real network administrators are prepared for anything…

F-Secure has a long history of protecting its customers, and as a result, we have some long established customer relationships. And some of our customers have been running our software for years and years. But, just like any other software vendor, we have to stop support for old legacy products at some point.

Thus, we need to remind our home and corporate customers that antivirus updates for F-Secure 8-series software will end on January 1st, 2012.

In practice, EOL means that products such as these will no longer receive antivirus updates:

  •  F-Secure Internet Security 2009
  •  F-Secure Anti-Virus 2009
  •  F-Secure Client Security 8-series
  •  F-Secure Linux Security 7-series

There are other affected products as well. For a full list of affected consumer products, see here, and for a full list of affected corporate products, see here.

To reiterate: this doesn't just mean that these products are no longer supported (some of them have actually been out of support for quite a while). This means that the actual antivirus signature updates will no longer be published for these products. No new databases will be produced.

So upgrade now:

  •  Home users
  •  Business users

There's no reason not to upgrade. The upgrade is free and will continue to be valid for as long as you have a license/subscription.

If you're running a product which you received through an Internet Service Provider, then the operator will make sure your is software is up-to-date.

Here's a link to a discussion thread on the topic in our community site.

Do you have this installed?

F-Secure Internet Security 2009, published in 2008

Update now… the end is nigh.


Tuesday, December 20, 2011

ChatSend Spam Campaign on Both Facebook and Twitter Posted by Sean @ 13:55 GMT

We're seeing a rather suspicious social spam run on both Facebook and Twitter today.

ChatSend Spam, Facebook

And apparently, it's been spreading for 5 days.

ChatSend Spam, Twitter

The social spam uses a short link with various numerical parameters. And in an interesting move, the spam posts two links. (Perhaps this helps evade anti-spam filters?)

Depending on geo-IP and the link clicked, users are directed to where they are offered "ChatSend", a browser toolbar plugin.

ChatSend Spam,

Windows and Mac: both are welcome.

Nearly one million people have clicked on the spam link. There's no telling how many folks installed the download. As you can see from the statistics, a large percentage of clicks are from India and the Philippines.

ChatSend Spam, stats

We reported the suspicious link to and they are looking into the issue.


Monday, December 19, 2011

Rumors of Facebook Timeline Troubles Posted by Sean @ 16:20 GMT

Facebook has started rolling out its new Timeline profile and over the weekend, here in Finland, there were some reports that private messages are being posted to users' profiles.

We have seen no solid evidence of this. And given that Facebook's Finnish translation is far from perfect, the whole thing could just be a misunderstanding. Here's an example of one translation we read today… Timeline profiles now include a new type of story called "Life Events". In the "Health & Wellness" category, there's an option for "Got Contacts". In Finnish, the word used is for contact info, rather than contact lenses.

So we're still waiting to see just what type of "messages" are being posted.

Mikko Hypponen's Twitter feed is published to his Facebook Timeline, and you can subscribe there to his updates for breaking news.

If you have a Facebook account, you can activate your Timeline from You'll have seven days to preview (and clean up…) your timeline before it becomes public.

Updated to add on Tuesday, December 20th:

As we suspected, the rumors of private "messages" being leaked by Timeline is based on misunderstanding of old Wall-to-Wall conversations. There are numerous layout changes made with the new Timeline profiles and those changes are sure to generate many questions. For non-hysterical, fact based answers, presented in a non-techgeek fashion, see our page on Facebook and Safe and Savvy blog.


Tuesday, December 13, 2011

Patch For the Zero-Day Vulnerability Used by Duqu Posted by Mikko @ 19:06 GMT

It's patch Tuesday and Microsoft has just issued a patch for the zero-day vulnerability that was used by the Duqu malware discovered in October.


To quote the bulletin:

What does the update do?
The update addresses the vulnerability by modifying the way that a Windows kernel mode driver handles TrueType font files.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It is assigned Common Vulnerability and Exposure number CVE-2011-3402.

When this security bulletin was issued, had Microsoft received any reports the vulnerability was being exploited?
Yes. Microsoft was aware of limited, targeted attacks attempting to exploit the vulnerability. However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published.


Monday, December 12, 2011

Premium Rate SMS Trojans in Google's Android Market Posted by Sean @ 15:33 GMT

Premium rate SMS trojans were discovered in Google's Android Market earlier today.

The developer, named "Logastrod", offered supposed free versions of many popular applications. And while Google has shut down the official market account, sites such as AppBrain still list the downloads.

Based on AppBrain's numbers, Lagostrod's apps were downloaded numerous times.

But that isn't the end of the story, the trojans are still live.

Avast's Jindrich Kubec sent a tweet towards Mikko with the developer's current name of "Miriada Production".

Miriada Production's Android Market account is currently online:

Miriada Production

There could be several such accounts in Android Market, turning Google's security efforts into a game of Whac-A-Mole.

If installed, the trojans will attempt to send a premium rate SMS using short codes.

Here's a screenshot from the fake World of Goo:


In the past, all of the premium rate SMS trojans that we've actively encountered have targeted Russia.

These trojans are targeting 18 countries.

The list includes the following ISO country codes: am, Armenia; az, Azerbaijan; by, Belarus; cz, Czech Republic; de, Germany; ee, Estonia; fr, France; gb, United Kingdom; ge, Georgia; il, Israel; kg, Kyrgyzstan; kz, Kazakhstan; lt, Lithuania; lv, Latvia; pl, Poland; ru, Russian Federation; tj, Tajikistan; ua, Ukraine.

So how is the developer attempting to justify their apps?

Well… it's in the fine print. Included within the app's installation agreement is language that says the "customer" will be subscribed to a premium service, and then the app, which is basically a wrapper, will then download the "free" game.

The cost to Germany is €1.99, and the cost to France is €4.50 (ouch).

Caveat emptor.

Updated to add: Miriada Production's account is no longer online.

Updated to add: Corrected .lt and .ua ISO codes.


Friday, December 9, 2011

Trade Fair... For Trojans Posted by Mikko @ 13:16 GMT

Trojans, backdoors, keyloggers and eavesdropping is used by online criminals. The same techniques are also used by governments. Some government do this to spy on their own people or to find dissidents. Other governments do this while investigating criminal suspects.

Most of the technology used in such intrusions are not developed by the governments themselves. They are made by private companies which are specializing in providing exploits, infection proxies and backdoors to governments.

For more background, see our blog posts:

  •  Egypt, FinFisher Intrusion Tools and Ethics
  •  Possible Governmental Backdoor Found ("Case R2D2")
  •  More Info on German State Backdoor

Where do governments buy this stuff from? Well, there's a conference and a trade fair on this very topic. It's called ISS World and it runs five times a year.

However, you can't simply walk into these events, as they are "by invitation only", and available only to "Telecommunication service providers, government employees and Law Enforcement Officers".

Nevertheless, we couldn't resist taking a peek when ISS World was in Kuala Lumpur this week.

ISS World Kuala Lumpur

Here's examples of the talks that were delivered:

ISS World Kuala Lumpur

The event was in a local Hilton, behind closed doors:

ISS World Kuala Lumpur

List of sponsors:

ISS World Kuala Lumpur

And here's the FinFisher booth, showcasing their IT Intrusion wares:

ISS World Kuala Lumpur

For more coverage on this mysterious event, see stories by WSJ (2011) and Wired (2006).


Trojan:Android/SMStado.A and Trojan:Android/FakeNotify.A Posted by ThreatSolutions @ 09:29 GMT

We ran across two Android premium-SMS trojans today, coincidentally both targeted at Russian users.

First, Trojan:Android/SMStado.A (SHA1: 718b8fbab302b3eb652ee0a5f43a5a2c5c0ad087).

As usual, the first hint of its nature comes in its requested permissions:

trojan_android_smstado_a_permission_1 (80k image) trojan_android_smstado_a_permission_2 (64k image)

On execution, the trojan leaks the following details to http://[...]

  •  International Mobile Equipment Identity (IMEI)
  •  Package Name
  •  Phone number
  •  Phone model

trojan_android_smstado_a_code (54k image)

trojan_android_smstado_a_run (67k image) trojan_android_smstado_a_run_2 (58k image)

These details are also stored in the app package's res\raw folder.

Additionally, when the app is run, if the user clicks the button on the bottom of the screen, SMS messages are sent out to specified premium rate phone numbers — all numbers so far have used the Russia country country code, often specifically the Moscow area. The SMS messages all contain the following text string:

  •  hm78929201647+1188+51+0+1+b92be

The trojan also downloads a package named love_position_v1.5.0.apk from a remote site:
(SHA1: 9cb4cc996fb165055e57e53ab5293c48567e9765)

trojan_android_smstado_a_download (73k image)

In our testing, the sample failed to run on the phone to which it was downloaded due to a parsing error:

trojan_android_smstado_a_download_error (22k image)

However, standalone analysis of the downloaded package on a separate, clean test phone showed that it has almost the same behavior as Trojan:Android/SMStado.A, though this one also starts a malicious service in the background on booting up:

trojan_android_smstado_a_service (96k image)

Our second malware is Trojan:Android/FakeNotify.A.

It pretends to be an update notifier application. These are the permissions used by the app and how it looks when it is installed on the phone:

trojan_android_fakenotify_permissions (83k image) trojan_android_fakenotify_downloaded (114k image)

Note: Though both Stados.A and FakeNotify.A have the same name (установка), Google Translate says this just means "installation". We think this just indicates that a generic word was used to name these apps, rather than being indicative of a relationship between these malware variants.

Once installed and executed, it displays a message that asks the user’s permission to download an application, using the name of a popular mobile game to catch the user's interest:

trojan_android_fakenotify_download_ui (36k image)

After clicking the "next" button, FakeNotify immediately sends out three sets of SMS messages in the background. The messages are sent to premium-rate phone numbers in Russia, and contain a text string in the following format:

  •  [24 digit string].1/316623

The SMS details used came from the database file embedded from the application.

Meanwhile, the user will not see any application download. Instead, another screen will appear that can lead to a website that offers more apps that could potentially be malicious as well:

trojan_android_fakenotify_download_agreement (32k image)

SHA1 Hashes for FakeNotify samples:

  •  28fdc27048d7460cda283c83c1276f3c2f443897
  •  f2eb2af5b289f771996546f65a771df80d4e44da
  •  cdc4b430eb6d6e3a9ce4eb4972e808778c0c7fb1

ThreatSolutions post by — Irene and Jessie


Monday, December 5, 2011

Q&A with @mikko and @FSLabsAdvisor (Sean) Posted by Sean @ 16:33 GMT

F-Secure's Community Manager, Ania, asked Mikko and I to take part in a Q&A week. And so, this week, from December 5th to the 9th, we'll be answering questions in our Community forums.

Q&A with Mikko Hypponen and Sean Sullivan

Disclaimer: December 6th is Finland's Independence Day… so, it's a day off. (Give us an extra day to reply.)

Please direct tech support questions to support threads. The Q&A is for security or research related topics, and there are lots of other guys and locations within Community to deal with support issues.

Though, some non-security related questions are okay.

Example question: what's it like living in Finland during the month of December?
Sean's answer: it's like suffering a month of jet lag (because there's so little sunlight).

Looking forward to your questions,


Thursday, December 1, 2011

Laptop Stickers 2011/2012 Posted by Sean @ 19:51 GMT

There's only a couple of more days to submit a suggestion to our Community's Laptop Sticker Contest.

Here's some of the suggestions we've received via Twitter.


You have until Monday to contribute. If you want to tweet, use #FSLS as a hashtag.

You can also contribute (and/or read what's been submitted thus far) in our Community.