Samker's Computer Forum - SCforum.info
World TOP Headlines: => Latest Security News & Alerts => Topic started by: Pez on 04. April 2013., 12:44:04
-
Ongoing Google Play Attacks Plague Japanese with Variation on One-Click Fraud
In what may be the biggest security-related incident on Google Play this year, multiple Trojans targeting Japanese users were discovered carrying the strain of Android one-click fraud. McAfee Mobile Research has already identified multiple developer accounts that were used to spread the malware and confirmed that more than 80 applications of this type existed on Google Play as of this writing. We have also reported additional developer accounts to Google Play Security for investigation and revocation.
(http://blogs.mcafee.com/wp-content/uploads/2013/04/one-click-fraud-gp-jpn-new-L.png)
Our investigation into the apps have shown that new variants of one-click fraud have been altered so that the fraud is not immediately identifiable unless the victim interacts with the apps–in effect making the apps “two-click fraud” or even “three-click fraud”–and making the automated screening and scanning process difficult.
In fact, these applications simply invoke the web browser on the device or the web-view component inside the application to load the web contents. This extra step by the fraudulent activities makes the automated detection of this type of malware more difficult.
(http://blogs.mcafee.com/wp-content/uploads/2013/04/one-click-fraud-gp-jpn-new-e.png)
One-click fraud is a threat vector that is unique to Japan and has been around for more than a decade on PCs, but recent aggressive tactics during the past year show that the criminals behind this scam are committed to exploiting mobile devices.
By using two or more clicks to commit fraud, an attacker can more easily trick users into believing that they are actually registered in the fraudulent service. Victims are more likely to pay money or give detailed personal information to the attacker.
In the current fraud, the attacker used multiple developer accounts on Google Play, as well as almost the same description of the applications across these separate accounts. This indicates that this type of fraudulent application variant is easily created and distributed. Actually, the attacker created new developer accounts soon after old accounts were banned due to malware reporting and published almost the same applications with minor changes under these new accounts.
What is worse, the essential part of this fraud occurs on the websites rather than inside the Android application, so there are still risks that the number of victims will increase via web browsing even if these applications are removed from Google Play.
McAfee detects this malware family as Android/OneClickFraud. We also detect and block the web accesses to the URLs used in this series of online fraud to protect users when they encounter the malicious fraud sites using their browsers. Make sure to keep your McAfee security products updated and stay tuned to McAfee Labs blogs for additional information as we continue our investigation.
Orginal article: Wednesday, April 3, 2013 at 9:08am by Daisuke Nakajima (http://blogs.mcafee.com/mcafee-labs/ongoing-google-play-attacks-plague-japanese-with-variation-on-one-click-fraud)
-
UPDATE!
One-Click Fraud Variant on Google Play in Japan Steals User Data
Last week McAfee (see article abow) Labs reported a series of “one-click fraud” malware on Google Play in Japan. We have been monitoring this fraudulent activity and have found more than 120 additional variants on Google Play since the previous report. The malicious developers upload five or six applications per account using three to five accounts every night, even though almost all of the applications are quickly deleted from Google Play. In some cases the fraudsters upload the applications with few or no modifications to the previous ones, and in other cases they substantially modify images and descriptions. But the final behavior is always the same.
Most of the variants of this malware have the same functionality, with only slight differences in their implementation code. They simply show the fraudulent web pages on the in-application web component or the device’s browser.
McAfee has also found a variant of this family of malware with more dangerous features. This variant retrieves the device user’s Google account name–the email address–as well as the phone number, and sends the information to the attacker’s remote server.
(http://blogs.mcafee.com/wp-content/uploads/2013/04/dnakajim20130409-ocf-gp-jp-top.png)
The application description page on Google Play.
This application, tv.maniax.p_urapane1, is a 16-piece slider-puzzle game consisting of pornographic images. It also plays movie files when the user completes the game.
Unlike previous variants from this family of fraudulent malware, this application requires several permissions at installation that are usually unnecessary for this type of game:
• android.permission.READ_PHONE_STATE
• android.permission.GET_ACCOUNTS
(http://blogs.mcafee.com/wp-content/uploads/2013/04/dnakajim20130409-ocf-gp-jp-perm.png)
The malware’s list of required permissions.
Behind the scenes, the malware retrieves the user’s data using these permissions and sends it to a remote server by opening the URL http://man****app.com/m/users/aftpur/GOOGLE_ACCOUNT_NAME/PHONE_NUMBER. It stores the data in a MySQL database server using the Java Database Connectivity API in a database-driver library in the application.
(http://blogs.mcafee.com/wp-content/uploads/2013/04/dnakajim20130409-ocf-gp-jp-game.png)
Malware application screens.
(http://blogs.mcafee.com/wp-content/uploads/2013/04/ocf-gp-jp-dnakajim20130409-traffic.png)
Google account name and phone number data sent to the attacker’s server.
This application also displays some “advertisement” links at the bottom of the screen. The application’s description page on Google Play says that the developer does not guarantee the safety of these linked advertisements, implying that they are not aware of the contents of the ads. In fact, however, the application simply displays the image files bundled in the application package and invokes the browser with the hard-coded URL http://pr**.*obi/?neosp_nontop_eropne01, which is the fraudulent web page often used in other variants of this one-click-fraud family of malware.
(http://blogs.mcafee.com/wp-content/uploads/2013/04/dnakajim20130409-ocf-gp-jp-fraud.png)
Fraudulent web pages.
The stolen Google account name and phone number are not directly used in the fraudulent page opened from this application. However, we expect the attacker will try to use this information for future malicious activities.
Fortunately, this application was deleted from Google Play within a day after it was added, and so the number of victims should be small. But the appearance of this variant indicates that the attackers are determined to collect personal information from their victims and that they are capable of developing variants with more advanced features than previous ones.
McAfee Mobile Security detects this application as Android/OneClickFraud, and will continue to monitor for more fraudulent activities from this family in Japan.
Orginal article: Tuesday, April 9, 2013 at 11:07am by Daisuke Nakajima (http://blogs.mcafee.com/mcafee-labs/one-click-fraud-variant-on-google-play-in-japan-steals-user-data)