Sep 18, 2011

FakePlayer - Android Malware



File Name: pornoplayer2.apk 
MD5   : 46a53f4a6637e2807d79102a6a937c2e
SHA1  : 17144b0e95a07ffd5bd7c8e3bf95004fe5fe2305

I have just started analyzing android malwares. Here I have explained about the fake media player application Pornoplayer2.

This application gets installed like an Media player application on an android device. Once installed it sends out SMS to premium rated phone numbers from the infected mobile.

When this application is opened it displays a text to the user “Please wait ...” means "Подождите..." in Russian.


And sends the following numbers as text messages to the premium number "7132". Based on the display text and the premium number used by this malware it clearly says it targets Russian Android users.


"846978"

"845785"
"846006"
"844858"

It also sends the text message "dx427123" 4 times to the premium number "4161". Check below,



To avoid this kind of malware getting installed in your android device, always install applications from well known source like android market and verify the permission granted to the application at the time of install.




Posted by at 2 comments:

Sep 10, 2011

SCAM - "Facebook : 7th Birthday Celebration.Free T-Shirts or Free Shoes"

Here comes the latest scam targeting user's saying "get your Free T-Shirts or Shoes ordered from us. Share it with your friends :)" and asks you to click on the Tiny Url which is actually a Scam link.


Fig: 1
Above are the tiny url’s with the Scam message. The original Url will be like shown below,

Tiny URL http://goo.gl/V72WW Full Url http://cshoes.fbnew.info/
Tiny URL http://s6x.it/3i5yg Full Url http://www.free.fb-tshirts.info/

You can check suspected tiny url by going to the site http://longurl.org/or, you can use custom plugins for Firefox and Google Chrome to automatically display the full url when you move your mouse over the tiny url.

Fig: 2
Once you click on the scam link it will take you to the site http://cshoes.fbnew.info/

Fig: 3
It uses the Facebook Social Plugin “Like Button” to post the message on News Feed So that your friends can know it. Also, it sends spam mail from your registered mail id to your friends asking them to click on the scam link.

Fig: 4
It not only targets facebook users it also looks out for other possible networking and famous sites,

Fig: 5
When you click on the "Click Here" button shown in Fig: 3 to redeem your T-Shirt it takes you to a page like seen below and it asks you to follow some steps to consider it as legitimate process but it’s a fake.

Fig: 6


Then it asks you to enter your details. Actually it’s a fake sign up process just to make sure you believe it completely.
Fig: 7
At last it says “Your registration for official facebook free Shoes is completed, We'll get back to you shortly via FB :)”

Fig: 8

Stay away from clicking on these Scam Messages.


Posted by at No comments:

Sep 4, 2011

Banker Trojan



File source: http://eugeniagreco.sites.uol.com.br/71.jpg
MD5  : e8e39e0942ecfb36f7596059a959cfff

SHA1 : 8a19042485802635bd5f0d82ad4d5dd92eb04fe9

SHA256: 08f22da1804956a01bdfc0ce9a4857004b52be6e2236f3b4a126a7ed9422cbd7


This Trojan targets the famous Spain Financial service Provider ‘Santander’. It gets downloaded into the system like a jpg image. Once triggered it gets loaded in the memory and waits until user search for the keyword "Internet Banking" in any of the search engine or access the site https://www.santandernet.com.br/default.asp

Once user access the above link or search for the mentioned keyword in their search engine it will spawns up a fake login page like seen below.


It asks you to enter your agency and account information for Santander Internet Banking Service. I have entered continuous '1' as agency and account number check below.


Actually it should say “Invalid account information” since it is a fake log in page you will see a page like above as if you have logged into a correct account. Then, it asks you to enter your user name and password using the virtual keyboard.
  




Here also I have entered continuous '1' as user name and password, check above.
In the background it contacts the remote ip "216.246.46.234" and sends all the login credentials.



Since I have used continuous '1' for all input you can see only '1' for all those data (agency, account, user and password). It sends system MAC address and OS information along with login credentials to the remote server.



Posted by at No comments:
Subscribe to: Posts (Atom)