Mobile Ad Malware Toolkits on Rise

Tuesday, February 5, 2013 @ 05:02 PM gHale


There is an increase in mobile advertising malware toolkits with four typical methods cybercriminals are using today to extract money from their victims, a new report said.

In addition, the report shows increasing activity in mobile malware variants of the Android Plankton ad kit as well as in hacktivist Web server vulnerability scanning.

RELATED STORIES
Defense Industry Spear Phishing Attack
RAT Looks Innocent, but it Attacks
Malware Spreads through Skype
Dorkbot Worm Goes Global

In the last three months, FortiGuard Labs found four pieces of malware that spiked, showing high levels of activity within a very short period of time (from a day to a week). The following are four typical methods cyber criminals are using:

Simda.B: This malware poses as a Flash update in order to trick users into granting their full installation rights. Once installed, the malware steals the user’s passwords, allowing attackers to infiltrate a victim’s email and social networking accounts to spread spam or malware, access Website admin accounts for hosting malicious sites and siphoning money from online payment system accounts.

FakeAlert.D: This fake antivirus malware notifies users via a convincing-looking pop-up window their computer suffered an infection with viruses, and that, for a fee, the fake antivirus software will remove the viruses from the victim’s computer.

Ransom.BE78: This is ransomware is a piece of malware that prevents users from accessing their personal data. Typically the infection either prevents a user’s machine from booting or encrypts data on the victim’s machine and then demands payment for the key to decrypt it.

Zbot.ANQ: This Trojan is the “client-side” component of a version of the infamous Zeus crime-kit. It intercepts a user’s online bank login attempts and then uses social engineering to trick them into installing a mobile component of the malware on their smartphones. Once the mobile element is in place, cybercriminals can then intercept bank confirmation SMS messages and subsequently transfer funds to a money mule’s account.

“While methods of monetizing malware have evolved over the years, cybercriminals today seem to be more open and confrontational in their demands for money − for faster returns,” said Guillaume Lovet, senior manager of FortiGuard Labs’ Threat Response Team. “Now it’s not just about silently swiping passwords, it’s also about bullying infected users into paying.”

In addition, FortiGuard Labs detected a surge in the distribution of the Android Plankton ad kit. This malware embeds a common toolset on a user’s android device that serves unwanted advertisements in the user’s status bar, tracks the user’s International Mobile Equipment Identity (IMEI) number and drops icons on the device’s desktop.

In the last three months, the kit’s activity plunged. In its place, FortiGuard Labs detected the rise of ad kits that appear to get its inspiration by Plankton and have approached the same elevated activity level Plankton was operating at three months ago.

In the third quarter of 2012, FortiGuard Labs detected high activity levels of ZmEu, a tool developed by Romanian hackers to scan Web servers running vulnerable versions of the mySQL administration software (phpMyAdmin) in order to take control of those servers. Since September, the activity level has risen a full nine times before finally leveling off in December.

“This activity spike suggests a heightened interest by hacktivist groups to facilitate various protests and activist movements around the world. We expect such scanning activity to remain high as hacktivists pursue an ever-increasing number of causes and publicize their successes,” Lovet said.



Leave a Reply

You must be logged in to post a comment.