[Tài liệu] AVG community powered threat report - Q2/2011
As anticipated in our last report, this year mobile malware is going to make the headlines. A lot of this may be explained by the massive and practically defenseless target posed by the exploding number of smart phones, tablets and other advanced mobile devices.
Gartner foresees that the total mobile communication devices' sales to the end user will reach ~413 million devices – this is an ‘attractive’ target for hackers.
Responding to this development we noticed that cyber criminals are shifting more resources from PC to mobile. The current low security awareness among mobile users opens the door for cyber criminal to monetize quickly.
Additionally, the fact that there is no need to go through the evolution of malware development which was necessary for PC targeted attacks, the knowledge and the tricks are already there. Cyber criminals just have to execute.
AVG Threat labs have spotted various monetization methods criminals are using on mobile platforms. The most popular being Premium SMS. All they need to do is persuade a user to download an App that they think they need. When nstalled it sends an SMS to a premium number to monetize that victim. Below is one example out of many we found this quarter.
China mobile is considered the world largest phone operator with more than 70% of the Chinese domestic market and 518 million subscribers (source:
1. The chosen attack vector was a text message to China Mobile subscribers.
2. It used a phishing attack, disguised as coming from China Mobile, trying to lure users to believe that this is coming from 10086 and China Mobile.
The message contained a link to a phishing site.
3. The cyber criminals used a domain name which is similar to the legitimate site, 1oo86.cn instead of the real 10086.cn (using the letter “O” instead
of the digit zero) which is difficult to notice by a novice user.
4. When clicking on the link, an App was downloaded and the user would not suspect anything because they expect that an update will be
downloaded and installed. The attacker gets another advantage here – if the user sees nothing on their device, they forget about it and leave the
5. The criminals developed two variants, one for Android and one for Symbian OS.
6. When installed, it performs the following activities:
a. It downloads a configuration file.
b. It sends out device information (as IMEI number, phone model, and SDK version)
c. It writes to a log file
d. It allows remote control / monitor the device.
e. Update mechanism
The crown jewels of this piece of malware are the “premium SMS charges". The malware is sending text messages to premium rate numbers. Premium
Messaging is where a user is subscribed to receive content and is billed by a third party. The charges can be one-time or recurring. The subscribing processed is being monitored by the cyber criminals.
The user is being charged premium prices, and their phone bill is increasing. The malware can hide these activities from the user by not listing the send/received text messages.
Up until now, the main tactic used by hackers is by uploading malicious application to the Android Market place. Google, for the second time in the past three months, had to remove dozens of malicious applications from the Google market. Some of these apps were pirated legitimate programs that had been modified with malicious code and uploaded to the Google Market.
However, as seen by AVG Threats Labs lately, a phishing method is being used by sending Text messaging or Instant Messaging or Emails with content which tries to lure users into installing malware to their mobile. Cyber Criminals are using Social Engineering tactics when targeting mobile users as done to PC users. Cyber criminals know they can be successful bytargeting the weakest link in the chain, the human part! Social Engineering attacks are more difficult to protect against.
As with the above example, the criminals’ mobile monetization is mainly oming via premium paid services such as SMS Trojans, which send text messages to premium rate numbers or by applications that initiate calls to highly rated numbers.
Mobile malware reached the sophistication and complexity of PC malware. Most mobile malware is using Command & Control to support and to update the malware remotely. This is done to maximize the profit for the criminals. With the C&C, the attacker can monitor any activity performed on the mobile device.
• Any mobile device should be equipped with security measures.
• AVG provides ‘AVG Mobilation’, free software for Android to protect users from such threats
• Become security aware, expect being a target for criminal activity
• Be cautious in what you download to your device.
• Monitor your device activities
• The most important task is… check your phone bills.