Home antivirus

ExpensiveWall Affects Millions

Google has been battling malicious apps throughout the year, most recently malware was packed in an app called “Lovely Wallpaper”. This new strain of malware was titled “ExpensiveWall”, and hid in the wallpaper application while stealthily racking up premium SMS fees. It further propagates by sending out text messages on your behalf, inviting others to download the same compromised app.

The malware was compressed and encrypted within an SDK used by roughly 50 different apps without being detected by Google. It is still undetermined how much money was actually generated from this SMS scam.

How it Works

ExpensiveWall uses JavaScript along with the enhanced permissions on the infected device to orchestrate the attack. It creates an interactive interface between the app downloaded and a web interface called WebView. This action allows the malware to run in-app controls through this WebView interface including but not limited to sending SMS messages and registering the user devices to premium paid services without notice. The only way for this malware to work is if the user allows full SMS control and communication to its command and control server. This communication will send data about the infected device including IP address, MAC address and Geolocation data.

What can you do to Prevent it?

Simply put, be aware of what permissions you are granting applications when you install them. The fact that millions of other people have downloaded an app and given it good reviews does not mean that it is safe. This app is clear cut proof to that effect. Below are some things that should throw up red flags when installing an application.

• Make calls or texts on your behalf
• Receive SMS
• Read contacts or sensitive device logs
• Communicate with other applications
• Control/disable the keyboard
• Kill processes
• Write secure settings
• Have the ability to authenticate accounts
• Create system services
• Control in-app billing/services
• Accessing GPS data

Some of these may actually be needed in order for certain applications to function properly, but be cautious. If you don’t think that flashlight app needs to make calls on your behalf, don’t install it. Lastly, a solid antivirus with web-browsing and application scanning is a necessity for your mobile device.

The Intern’s Security Practices Part 2: Links and Software

 As Defence Inteligence’s intern, I decided to survey my class at Algonquin College to find out how they protect themselves from digital threats. Here is the next section of the survey results on links and software.

To start, I asked if my classmates open links on various social media sites and in emails. Here is what they said:

Some of these results could be off because they may not have an account on LinkedIn or Twitter. Since all students have an e-mail address and the majority have a Facebook account as well, it’s not surprising that they have the highest percentage. I will open links on any of those platforms if I recognize the sender and it’s something they normally do. This is how I fall into the 67 per cent that open links from known sources.

With that said, I don’t open every link received from someone that I know. I read the text around the link and check Google for any warnings. This habit saved me from a virus spread through Twitter where you received a message from a friend saying they found a picture of you. When you clicked the link it gave you the virus. With 80 per cent of the students saying they don’t open messages that are just a link, it looks like when it comes to links they have an idea of how to act securely.

It surprised me to find that only 65 per cent of the students admitted to downloading music or movies through sharing and torrents. I’m definitely guilty of this from time to time, especially when it comes to movies.

Moving on to software, we wanted to know when students decide to update their software.

It’s interesting to note that one student wrote on the survey that that they check to see how important the update is.

The most surprising results for the survey was that 82 per cent of students said that they don’t have antivirus software on their phones. I would be curious to see how many are iPhone or Andriod users. As an iPhone user I’m not sure I have any antivirus software.

“People fail to realize that their phone is a computer and should be treated as such,” said Keith Murphy Defence Intelligence CEO.

Similarly 35 per cent of students don’t have antivirus software on their computer or laptop, and 22 per cent don’t know if they have any. This was a shock to both Murphy and myself.

“If they don’t know whether they have AV, it’s safe to assume that they don’t,” said Murphy.

With this news, it’s no surprise that 22 per cent admit to discovering a virus on their computer. Of the 43 per cent of the students that have antivirus software on their computer or laptop, 17.5 per cent use McAfee, 12.5 per cent use Symantec/Norton, two per cent use Windows Essentials, seven per cent use Avast, and five per cent use a different type of software.

Stay tuned for our last post concerning the security attitudes of the students.

By Sarah Raphael

Bitdefender Gets a Bit Too Defensive

BitDefenderImage via WikipediaBitdefender antivirus unwittingly released a signature update to its users on March 20th that detected and quarantined key Windows system files as malware, causing general OS failures.

Bitdefender had this statement on the news portion of their site:

“Saturday around 8:20am PST, an update that we were working on was uploaded prematurely in our servers. This update affected only products running on Windows 64-bit systems.”

The premature update caused various .exe and .dll files to be quarantined for both the Windows software and the Bitdefender software, each file detected as Trojan.FakeAlert.5.

“Consequently, for some systems, BitDefender did not run anymore, applications did not work or Windows could not start.”

This caused quite an uproar among the AV’s users as well as Bullguard antivirus users, whose software relies on Bitdefender’s engine and signatures. Though both companies have offered assistance in remediating the situation, many customers are outraged, especially when the only compensation offered to users so far has been free usage of the very software that caused the problem. A blunder like this also does nothing for the image of AV whose credibility and effectiveness has been in question for the last few years.

Detection rates by some AV groups is often low and the gap between release of new malware and its detection by AV is currently too significant, allowing for the growth of large botnets like Mariposa. False alarms, especially when automatically quarantined, can disrupt or severely damage home user and business systems, as it has with this update mishap.

I’m sure many of the Bitdefender/Bullguard users will be jumping ship, scouting alternative antivirus software, but how will they know which one to choose and which one to trust? A lot of AV company blogs end with something like, make sure you are completely updated with the latest signatures or software versions to ensure your protection.

Well, that’s not working for Bitdefender. What are they going to say now?

Bitdefender’s help page:
http://www.bitdefender.com/site/KnowledgeBase/consumer/#638

Bullguard’s help page:
http://bullguard.com/support/system-status.aspx

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]