The Armadillo Phone - A Security Review

Dear blog readers,

As many of you know I've joined forces with Team Armadillo Phone in the fight against cybercriminals including nation-state and rogue and malicious including possibly fraudulent cyber adversaries for the position of Security Blogger in 2019 and I wanted to say big thanks to COO Rob Chaboyer and CEO Kelaghn Noy for bringing me on board and for initiating a series of video conversations to better help them understand my motivation for joining the company and what exactly I can bring on board.

Among my first responsibilities were to possibly include an actual Security Audit and actual Security Advice and Recommendation including practical implementation advice on new Privacy and Security themed related features actual reaching out to current and future customers including active posting of new and innovative Security Research at the company's blog.

In this post I'll provide an in-depth Security Review of the Armadillo Phone in terms of Privacy and Security features including their relevance and importance in today's modern cyber threat adversaries dominated Internet-based communication ecosystem including an in-depth introduction into some of the key features that I might be definitely looking forward to implementing and offering practical advice on in terms of new Privacy and Security features that might greatly assist new and future customers on their way to achieve a decent degree of Privacy and Security in their Internet-based communications.

Key Features of the Device include:

- Tamper-Resistant Packing
- Device Inspection
- Secure Hardware
- Multiple Passwords
- Zero Day Protection
- Security Peripherals

Among my key proposals that I sincerely hope will eventually make their place on COO Rob Chaboyer and CEO Kelaghn Noy's desk are:

• Security Researcher Working Space or a Security Module - the basic idea here would be to offer a built-in full-disclosure reader application including automatic subscription to major and popular Information Security and Hacking Mailing Lists.
• Built-in RSS Reader - the main idea here would be offer Armadillo Phone users to ability to take advantage of a built-in RSS reader with pre-defined set of major and high-profile Security and Provicacy Content Providers
• Security and Privacy Including National-Security Journalists' Opt-In Directory - have you ever wanted to directly reach out to a high-profile Security Privacy or National Security type of journalist for the purpose of sharing with them your opinion on a particular piece of to actually share a news tip? This is the main purpose behind this particular feature.
• Covert Channels - the main purpose behind this features is to allow Armadillo Phone users in particular journalists or hacktivists the opportunity to secure and convertly transmit information that's basically impossible to track down intercept
• Steganography - the main purpose behind this feature is to allow Armadillo Phone users with the opportunity to use an alternative secure communication channel that's basically impossible to intercept track down and censor

Key Security and Privacy Features of the Device include:

• AES-256-XTS block-level FDE
• Block-level FDE instead of Android's file-based encryption
• Scrypt work factors increased
• Minimum 8-character alphanumeric password
• Completely software-based
• Keymaster and gatekeeper disabled
• Normal password for deniable encryption
• Secret password stored at randomized offset
• Secret volume is hidden inside unused portion of decoy data
• Wipe password in footer to erase device
• Separate lockscreen password
• Password verification order randomized at runtime to prevent timing attacks 
• Enhanced KASLR and userland ASLR
• Increased ASLR entropy
• Several PaX patches ported
• Zygote uses exec() spawning instead of fork()
• Improved SELinux rules
• Hardened malloc implementation
• Stack and heap canaries detect overflows
• Enhanced FORTIFY_SOURCE implementation
• Function pointer protection
• Restrictive compile-time sanitization
• Additional attack surface reduction
• All connections made using pinned TLS 1.2 connections with high-entropy 4096-bit certificates
• Metadata can be further protected by enabling optional VPN
• Verify encryption keys using manual verification, QR code, SMP or NFC
• Chat uses OMEMO encryption
• Email uses PGP encryption
• Email uses randomized subjects
• Email uses encrypted connection to keyserver and mailserver
• Email requires 4096-bit PGP keys
• Radio Sentinel: Monitors WiFi networks for ARP poisoning. Monitors cellular networks for 2G networks, performs sanity checks and compares cellular towers to a database of known network
• RAM Sentinel: Monitors temperature to prevent cold-boot attacks
• Theft Sentinel: Connects to anti-theft beacon over BLE, alarms both beacon and phone if disconnected. If phone isn't unlocked or beacon isn't reconnected within 5 minutes the phone will shutdown. 

Based on my current experience with the device which I've recently started using for the purpose of keeping in touch with friends and colleagues I can easily say that this is one of the most advanced and technically sophisticated mobile security device that can be easily obtained from here and I sincerely hope that my research and security knowledge and technical knowledge expertise will prove highly valuable to what the Team at Armadillo Phone are currently doing.

Stay tuned!

Continue reading →

Joining Team Armadillo Phone!

Dear blog readers,

It's a pleasure and an honor to let you know that I've recently joined forces with Team Armadillo Phone in the fight against sophisticated nation-state and rogue cyber threat actors for the position of Security Blogger targeting mobile devices on their way to compromise sensitive and often classified personal information and that I'll be definitely looking forward to making impact with the company through the publication of high-quality security and cyber threat research including the active education and spreading of information and knowledge to the company's clients on their way to further protect their sensitive and often classified data from mobile threats courtesy of a multi-tude of malicious and fraudulent adversaries.

Among my responsibilities will include active cyber threat an nation and rogue cyber adversary research including actual client outreach in terms of Security Blogger including the actual work and eventual implementation of new never-published and seen-before privacy and security features including the actual Security Audit of the device in terms of possible Threat Modelling flaws and actual practical solution and advice-oriented implementation of new privacy and security features next to the usual cyber nation-state and rogue cyber actor type of threat analysis and research that I've been doing throughout the past decade.

Perfect timing to say big thanks to COO Rob Chaboyer and CEO Kelaghn Noy for bringing me on board and for actually taking the time and effort to go through my proposal and actually initiate a video conversation with me for the purpose of working together.

My initial idea would be reach out to the company's client-base in terms of possible security threats outreach including the active production of high-quality security and cyber adversary research targeting mobile devices at the company's blog including the production of a Threat Modelling Scenario Research Analysis which I intend to publish at the company's blog including an actual practical and solution-oriented Security Audit of the device next to the actual introduction of new privacy and security features.

I will be definitely looking forward to making an impact with the company and I'll be definitely looking forward to continue publishing the high-quality and never-published before type of research analysis at my personal blog. Continue reading →

Exposing Yet Another Currently Active Fraudulent and Malicious Pro-Hamas Online Infrastructure

Love them or hate them - the ubiquitous beautiful girl utilizing fake bogus and rogue Facebook accounts scam campaign courtesy of Hamas targeting Israeli soldiers has to come to an end.

In this post I'll provide actionable intelligence on a currently active Pro-Hamas malicious and fraudulent infrastructure and will discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and will offer in-depth perspective on a currently active Pro-Hamas hosting provider - "Nepras for Media & IT" which is basically a legitimate front-end company currently involved in a variety of Pro-Hamas malicious and fraudulent malware-serving and propaganda spreading online infrastructure provider directly related to yet another Pro-Hamas franchise - "Modern Tech Corp".

Sample Facebook Profile Names involved in the campaign:
Elianna Amer
Aitai Yosef
Karen Cohen
Amit Cohen
Loren Ailan
Verena Sonner
Lina Kramer

Sample profile photos of Pro-Hamas fake and rogue Facebook accounts:

Sample malicious and fraudulent URL known to have participated in the campaign:
hxxp://apkpkg.com/android/?product=yeecallpro - 50.63.202.43; 50.87.148.131; 50.63.202.56

Related malicious MD5s known to have participated in the campaign:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://goldncup.com
hxxp://glancelove.com - 204.11.56.48; 198.54.117.1; 198.54.117.198; 198.54.117.200; 198.54.117.197; 192.64.118.163
hxxp://autoandroidup.website
hxxp://mobilestoreupdate.website
hxxp://updatemobapp.website

Related malicious IPs known to have participated in the campaign:
hxxp://107.175.144.26
hxxp://192.64.114.147

Related malicious MD5s known to have participated in the campaign:
MD5: 4f9383ae4d0285aeb86e56797f3193f7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent phone-back C&C server IPs:
hxxp://endpointup.com/update/upfolder/updatefun.php
hxxp://droidback.com/pockemon/squirtle/functions.php

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://androidbak.com
hxxp://droidback.com
hxxp://endpointup.com
hxxp://siteanalysto.com
hxxp://goodydaddy.com

Related emails known to have participated in the campaign:
info@palgoal.ps
support@nepras.com
mtcg@mtcgaza.com

Related fraudulent and malicious domains known to have been registered using the same email - info@palgoal.ps:
hxxp://7qlp.com
hxxp://all-in1.net
hxxp://androidmobgate.com
hxxp://arabstonight.com
hxxp://collectrich.com
hxxp://krmalk.com
hxxp://motionsgraphic.com
hxxp://orchidcollege.com
hxxp://paltrainers.org
hxxp://rosomat.net
hxxp://stikerscloud.com

Related fraudulent and malicious domains known to have been registered using the same email - support@nepras.com:
hxxp://acchd.net
hxxp://ahlulquran.com
hxxp://alalbait.ps
hxxp://alnorhan.com
hxxp://alowini.com
hxxp://alresalah.news
hxxp://alshibl.com
hxxp://alwanbook.com
hxxp://arqamschools.com
hxxp://azarcnc.com
hxxp://boxmarket.org
hxxp://bstcover.com
hxxp://caades.org
hxxp://detour-bs.com
hxxp://driverup2date.com
hxxp://drmazen.com
hxxp://drmazen.ps
hxxp://eta-water.com
hxxp://fares-alarab.com
hxxp://feker.net
hxxp://fekerjaded.net
hxxp://fekerjaded.com
hxxp://gaza-health.com
hxxp://gcstv.tv
hxxp://hairgenomics.com
hxxp://idco.center
hxxp://islamicbl.com
hxxp://khaledjuma.net
hxxp://kingtoys.ps
hxxp://learningoutcome.net
hxxp://lemaghi.com
hxxp://lsugaza.org
hxxp://mailsinfo.net
hxxp://majallaa.com
hxxp://manara.ps
hxxp://mobilyapp.com
hxxp://mtsc.tech
hxxp://nepras.net
hxxp://nepras.ps
hxxp://nsms.ps
hxxp://osamaalnajjar.com
hxxp://osratyorg.com
hxxp://panorama-pvs.com
hxxp://pay2earn.net
hxxp://pharmahome.net
hxxp://saqacc.com
hxxp://saudifame.com
hxxp://scc-online.net
hxxp://sondooq.net
hxxp://syada.org
hxxp://takafulsys.com
hxxp://taqat.work
hxxp://taqat.jobs
hxxp://technologylotus.com
hxxp://thoraya.net
hxxp://vgsat.com
hxxp://yabous.net
hxxp://yourav.net

Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://googlemapsservice.com
hxxp://lipidgenomics.com
hxxp://akalgroup.net
hxxp://rami-kerenawi.com
hxxp://bestyleperfumes.com
hxxp://azarcnc.com
hxxp://go-2web.com
hxxp://jettafood.com
hxxp://mushtahatours.com
hxxp://pal4news.net
hxxp://pcr-shate.com
hxxp://saqacc.com
hxxp://shahidvideo.com
hxxp://shop8d.net
hxxp://spermgenomics.com
hxxp://tawjihips.com
hxxp://vidioarb.com
hxxp://yourav.net
hxxp://yourdialerpal.com
hxxp://freedombeacon.info
hxxp://neprastest.info
hxxp://nirmaali.com
hxxp://zaibaq-hearing.com
hxxp://bramgsoft.com
hxxp://hairgenomics.com
hxxp://dietgenomix.com
hxxp://arcadialanguages.com
hxxp://himoudco.com
hxxp://moltkaa.com
hxxp://toyoorjanna.com
hxxp://facebootshe.com
hxxp://facebootshe.net
hxxp://somoood.com
hxxp://alnorhan.com
hxxp://alwatantoday.net
hxxp://elianali.com
hxxp://sspal.net
hxxp://hi-galaxy.com
hxxp://youthn.net
hxxp://gmamalaysia.com
hxxp://cbspgaza.com
hxxp://madarikmedia.com
hxxp://website-testnew.com
hxxp://childworldsociety.com
hxxp://netmarketpal.net
hxxp://albwwaba.com
hxxp://saudib.info
hxxp://pwaha.com
hxxp://smilymedia.com
hxxp://ftyatalghad.com
hxxp://coldymedia.com
hxxp://kh-alsendawy.com
hxxp://scoutsyalla.com
hxxp://almofker.com
hxxp://rawnaqmedia.net
hxxp://pro-stud.com
hxxp://shawa-plast.com
hxxp://eta-water.com
hxxp://host4tech.net
hxxp://fekerjaded.com
hxxp://audioodrivers.com
hxxp://trsanweb.com
hxxp://3almpro.com
hxxp://neprasweb.info
hxxp://thaqefnafsak.net
hxxp://newpal21.com
hxxp://ads4market.net
hxxp://qcpalestineforum.net
hxxp://alothmanx.com
hxxp://detourbs.com
hxxp://engash.com
hxxp://anafenyx.com
hxxp://dar-pal.com
hxxp://loyal-hands.com
hxxp://sahabacomplex.net
hxxp://logintest.info
hxxp://mapartnr.com
hxxp://hejazeceramics.com
hxxp://gazaapeal.com
hxxp://tawzzef.com
hxxp://gazaappeal.com
hxxp://oqpizza.com
hxxp://arqamschools.com
hxxp://nafhacenter.com
hxxp://halaalmasry.com
hxxp://q9polls.com
hxxp://q8-polls.com
hxxp://palalghadschool.com
hxxp://servesni.com
hxxp://rose2020.com
hxxp://km-pal.com
hxxp://cfpalestine.com
hxxp://ipad2me.com
hxxp://arabsdownload.com
hxxp://projectsinturkey.com
hxxp://newmassa.com
hxxp://charitysys.info
hxxp://nepraswebsite.com
hxxp://iquds.com
hxxp://yabous.net
hxxp://appsapkandroid.us
hxxp://alltech4arab.com
hxxp://hadaf.info
hxxp://plmedgroup.com
hxxp://modhish.net
hxxp://mltaka.com
hxxp://ajelapp.com
hxxp://khmap.com
hxxp://cupsport.net
hxxp://arshdnytech.com
hxxp://gmaedu.net
hxxp://lemaghi.com
hxxp://creativityjob.com
hxxp://imes-group.net
hxxp://rawnaqmedia.com
hxxp://alwanbook.com
hxxp://fifafoot.com
hxxp://sportarabs.com
hxxp://el-qalam.com
hxxp://bawadirsoft.com
hxxp://palalghad-school.com
hxxp://mixedwork.com
hxxp://plmedgroup.com
hxxp://alowini.com
hxxp://detour-bs.com
hxxp://earningoutcome.net
hxxp://shahedcom.com
hxxp://sport-kora.com
hxxp://torathshop.com
hxxp://newsolararabian.com
hxxp://h3sk.com
hxxp://gh-gaza91.com
hxxp://watanps.com
hxxp://mobilyapp.com
hxxp://nfs-pal.com
hxxp://yousef123.com
hxxp://alhato.com
hxxp://alyawmpress.net
hxxp://technologylotus.com
hxxp://qavalues.com
hxxp://ask2play.net
hxxp://hamasld.com
hxxp://bhscfood.com
hxxp://nmanews.com
hxxp://ifcdoha4.com
hxxp://sparkpowerco.net
hxxp://archour.com
hxxp://nmanews.net
hxxp://academy-uk.net
hxxp://turkey-gate.com
hxxp://learningoutcome.net
hxxp://smattrix.com
hxxp://eradaa.net
hxxp://paltoday.com
hxxp://sugar-salt.net
hxxp://boutiqobasket.com
hxxp://ethadalpadia.com
hxxp://fonoungallery.com
hxxp://fonoungallery.com
hxxp://smattrix.com
hxxp://gazawiit.com
hxxp://alfarisnt.com
hxxp://lama-film.net

Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://lovemagazineofficial.com
hxxp://masmo7.com
hxxp://mnwrna.com
hxxp://androidbak.com
hxxp://fastdroidmob.com
hxxp://treestower.com
hxxp://aymanjoda.com
hxxp://advflameco.com
hxxp://mahmoudzuaiter.com
hxxp://libyatoda.com
hxxp://mtcpal.com
hxxp://khfamilies.com
hxxp://ch2t0.com
hxxp://dwratcom.com
hxxp://faker4.com
hxxp://orubah.com
hxxp://orchidcollege.com
hxxp://yasser-arafat.com
hxxp://wf-hall.com
hxxp://maharaty.net
hxxp://addoja.net
hxxp://arb10.com
hxxp://ajel-news.com
hxxp://rosomat.net
hxxp://sahifty.net
hxxp://looktik.com
hxxp://pstent.com
hxxp://newsmagasine.com
hxxp://gazass.com
hxxp://dooownloads.com
hxxp://androidmobgate.com
hxxp://koora-fast.com
hxxp://fitlifee.com
hxxp://share-crowd.com

Related domains registered using the "Modern Tech Corp" Pro-Hamas fraudulent and malicious infrastructure:
hxxp://atfalocom.com
hxxp://bopfile.com
hxxp://djadet.com
hxxp://ecsrs.com
hxxp://egp-gaza.com
hxxp://infoocean.net
hxxp://katakeety.com
hxxp://katakeety.net
hxxp://linefood.com
hxxp://mtcpal.net
hxxp://nawrastv.net
hxxp://shobbaik.com
hxxp://tashbik.biz
hxxp://tashbik.com
hxxp://vansac-english.com
hxxp://woodrom.com
hxxp://alfareeq.info
hxxp://tashbik.info
hxxp://cashbacksave.com
hxxp://nerab.com
hxxp://download4android.com
hxxp://altartosi.net
hxxp://fostanews.com
hxxp://silverdai.com
hxxp://selhelou.com
hxxp://albassam-co.com
hxxp://almanar-studio.com
hxxp://facekooora.com
hxxp://holylandcar.com
hxxp://qneibi.com
hxxp://shaheen-flower.com
hxxp://strong-k.com
hxxp://pioneerfoodco.com
hxxp://sinokrotex.com
hxxp://zawiaa.net
hxxp://amwwal.com
hxxp://abuamra.com
hxxp://madridista-arab.com
hxxp://donia-fm.com
hxxp://donia-fm.net
hxxp://lmasatfnya.com
hxxp://dolphinexpress1.com
hxxp://dolphinexpress1.info
hxxp://dolphinexpress1.net
hxxp://radiosurif.com
hxxp://sahaba-radio.com
hxxp://odmint.com
hxxp://ylapin.com
hxxp://ylapin.net
hxxp://mypage-pro.com
hxxp://mohdsheikh.com
hxxp://altelbany.com
hxxp://dolphinariumtours.com
hxxp://artsofali.com
hxxp://menalmuheetlelkhaleej.com
hxxp://alghaidaa.com
hxxp://ajwad-marble.com
hxxp://istakbel.com
hxxp://istaqbel.com
hxxp://istaqbil.com
hxxp://istaqbl.com
hxxp://istqbl.com
hxxp://estakbel.com
hxxp://estaqbel.com
hxxp://estaqbil.com
hxxp://estaqbl.com
hxxp://estqbl.com
hxxp://massrefy.com
hxxp://massrify.com
hxxp://amwwaly.com
hxxp://amwwaly.info
hxxp://amwwaly.net
hxxp://nawrastv.com
hxxp://stepcrm.com
hxxp://imraish.com
hxxp://zawiaa.com
hxxp://3la-kefak.com
hxxp://bsaisofamily.com
hxxp://imraish.com

Related malicious MD5s known to have participated in the campaign:
MD5: 10f27d243adb082ce0f842c7a4a3784b01f7248e
MD5: b8237782486a26d5397b75eeea7354a777bff63a
MD5: 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813
MD5: 9b923303f580c999f0fdc25cad600dd3550fe4e0
MD5: 0b58c883efe44ff010f1703db00c9ff4645b59df
MD5: 0a5dc47b06de545d8236d70efee801ca573115e7
MD5: 782a0e5208c3d9e8942b928857a24183655e7470
MD5: 5f71a8a50964dae688404ce8b3fbd83d6e36e5cd
MD5: 03b404c8f4ead4aa3970b26eeeb268c594b1bb47

Related certificates known to have participated in the campaign:
10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6
9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03
44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09
67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A
89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56
B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A

Related malicious MD5s known to have participated in the campaign including C&C phone-back locations:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7 - once executed the sample phones back to the following malcious domain - hxxp://jonalbertwebsite.000webhostapp.com
MD5: 95a782bd8711ac14ad76b068767515d7 - once executed the sample phones back to the following malicious domains - hxxp://107.175.144.26/apps/d/p/op.php -> hxxp://app-measurement.com/config/app/1:487050065789:android:6a899b85b4fafd55?app_instance_id=76d4b711c98c3632398d47cb8d5777a3&platform=android&gmp_version=11200
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313 - once executed the sample phones back to the followin malicious domain - hxxp://192.64.114.147/apps/d/p/op.php
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious MD5s known to have participated in the campaign:
MD5: f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious URL known to have participated in the campaign:
hxxp://bit.ly/2M7E2Zg Continue reading →

Rogue Android Apps Hosting Web Site Exposes Malicious Infrastructure

With cybercriminals continuing to populate the cybercrime ecosystem with automatically generated and monetized mobile malware variants, we continue to observe a logical shift towards convergence of cybercrime-friendly revenue sharing affiliate networks, and malicious infrastructure providers, on their way to further achieve a posive ROI (return on investment) out of their risk-forwarding fraudulent activities.

I've recently spotted a legitimately looking, rogue Android apps hosting Web site, directly connected to a market leading DIY API-enabled mobile malware generating/monetizing platform, further exposing related fraudulent operations, performed, while utilizing the malicious infrastructure, which I'll expose in this post.

Let's assess the campaign, expose the malicious infrastructure behind it, list the cybercrime-friendly premium rate SMS numbers, involved in it, as well as related malicious MD5s, known to have participated in the campaign/have utilized the same malicious infrastructure.

Sample rogue Android apps hosting URL: hxxp://androidapps.mob.wf - 37.1.206.173

Responding to the same IP (37.1.206.173) are also the following fraudulent domains:
hxxp://22-minuty.ru
hxxp://nygolfpro.com
hxxp://bloomster.dp.ua
hxxp://stdstudio.com.ua
hxxp://autosolnce.ru

Detection rate for sample rogue Android apps:
MD5: 4bf349b601fd73c74eafc01ce8ea8be7
MD5: c4508c127029571e5b6f6b08e5c91415
MD5: bd296d35bf41b9ae73ed816cc7c4c38b

Sample redirection chain exposing the fraudulent infrastructure: hxxp://22-minuty.ru -> hxxp://playersharks2.com/player.php/?userid= - 94.242.214.133; 94.242.214.155

Known to have responded to the same IPs (94.242.214.133; 94.242.214.155) are also the following fraudulent domains, participating in a related revenue-sharing affiliate network based type of monetization scheme:
hxxp://4books.ru
hxxp://annoncer.media-bar.ru
hxxp://booksbutton1.com
hxxp://film-club.ru
hxxp://film-popcorn.ru
hxxp://filmbuttons.ru
hxxp://filmi-doma.com
hxxp://filmonika.ru
hxxp://films.909.su
hxxp://indiiskie.ru
hxxp://kinozond.ru
hxxp://media-bar.ru
hxxp://playersharks2.com
hxxp://playersharks4.com
hxxp://pplayer.ru
hxxp://sharksplayer2.com
hxxp://sharksplayer3.ru
hxxp://sharksreader.ru
hxxp://tema-info.ru
hxxp://toppfilms.ru
hxxp://video-movies.com
hxxp://video.909.su
hxxp://videodomm.ru
hxxp://videozzy.com
hxxp://videozzzz.ru
hxxp://websharks.ru
hxxp://yasmotrju.ru

Malicious MD5s known to have phoned back to the same IP (94.242.214.133):
MD5: 9ec8aef6dc0e3db8596ac54318847328
MD5: 895c38ec4fb1fbee47bfb3b6ee3a170b
MD5: c4d88b32b605500b7f86de5569a11e22
MD5: 49861fd4748dd57c192139e8bd5b71e3
MD5: 8b350f8a32ef4b28267995cf8f0ceae1

Premium rate SMS numbers involved in the fraudulent scheme:
7151; 9151; 2855; 3855; 3858; 2858; 8151; 7155; 7255; 3190; 3200; 3170; 3006; 3150; 6150; 4124; 4481; 7781; 5014; 1151; 4125; 1141; 1131; 1350; 3354; 7122; 3353; 7132; 3352; 8355; 8155; 8055; 7515; 1037; 1953; 3968; 5370; 1952; 3652; 5373; 9191; 1005; 7019; 7250; 1951; 7015; 7099; 7030

Once executed MD5: 9ec8aef6dc0e3db8596ac54318847328 phones back to the following C&C servers, further exposing the malicious infrastructure:
67.215.246.10:6881
82.221.103.244:6881
114.252.58.66:6407
89.136.77.86:45060
212.25.54.183:32822
107.191.223.72:22127
87.89.149.106:24874
82.247.154.128:47988
108.181.68.73:47342
82.74.179.126:52352
121.222.168.146:64043
217.121.30.46:34421
115.143.245.78:51548
110.15.205.16:51477
37.114.69.97:19079
85.229.206.243:55955
95.109.112.178:60018
95.68.195.182:44025
239.192.152.143:6771
109.187.54.101:13100
117.194.5.97:55535
95.29.112.178:59039
109.162.133.97:19459
83.205.112.178:11420
95.68.3.182:53450
175.115.103.140:52696
197.2.133.97:27334
84.55.8.7:10060
27.5.132.243:19962
123.109.176.178:36527
175.157.176.178:22906
188.187.147.247:14745
178.212.133.205:52416
145.255.1.250:41973
213.21.32.190:51413
93.73.165.31:61889
176.97.214.119:46605
185.51.127.134:16447
109.239.42.123:16845
77.232.158.215:40266
178.173.37.2:47126
62.84.24.219:47594
37.144.87.15:13448
5.251.28.179:39620
94.19.66.51:42894
94.51.242.89:35691
93.179.102.216:24458
212.106.62.201:44821
95.52.69.39:12249
46.118.64.45:44172
217.175.33.130:45244
185.8.126.226:32972
93.92.200.202:56664
94.214.220.37:35196
46.182.132.67:32103
46.188.123.131:11510
83.139.188.142:34549
188.232.124.16:27582
91.213.23.226:19751
95.32.142.28:55555
95.83.188.157:15714
95.128.244.10:59239
176.31.240.170:6882
79.109.88.241:6881
91.215.90.109:34600
62.198.229.165:6881
91.148.118.250:21558
81.82.210.40:6881
97.121.23.163:31801
78.186.155.62:6881
78.1.158.105:47475
79.160.62.185:9005
213.87.123.81:17790
178.150.154.26:26816
83.174.247.71:59908
109.87.175.144:29374
86.57.186.171:45013
193.222.140.60:35691
176.115.158.138:24253
42.98.191.90:7085
178.127.152.72:10107
82.239.74.201:61137
185.19.22.192:46337
86.185.92.38:10819
78.214.194.145:24521
37.78.85.173:49001
82.70.112.150:32371
37.131.212.35:18525
79.136.156.151:59659
2.134.48.150:12530
95.29.164.86:6881
37.147.16.242:64954
79.45.36.86:22690
112.208.182.65:56374
62.99.29.74:44822
95.16.12.111:12765
124.169.69.69:41216
5.164.83.49:62348
79.22.73.216:61914
46.63.131.146:6881
89.150.119.203:55029
58.23.49.24:2717
83.41.5.241:45624
87.21.80.23:27949
178.150.176.150:57997
178.127.195.146:58278
5.141.236.13:15784
125.182.35.138:54094
99.228.23.82:29302
14.111.131.146:33433
122.177.90.137:25375
178.223.195.146:54596
182.54.112.150:1058
109.23.145.152:31514
213.241.204.31:27769
188.168.58.6:45823
2.94.4.215:50830
42.91.39.236:13923
116.33.113.4:19973
86.182.170.27:25712
177.82.206.231:39043
122.143.152.35:7890
217.13.219.147:39190
77.75.13.195:16279
87.239.5.144:58749
89.141.116.97:49001
176.106.11.49:44690
112.14.110.199:33243
122.26.6.52:20527
178.223.195.146:23034
98.118.85.85:51413
190.63.131.146:6881
46.151.242.82:16046
176.106.19.185:46114
85.113.157.12:62633
192.168.0.105:58749
211.89.227.34:56333
36.68.16.149:42839
31.15.80.10:42061
130.15.95.112:6881
87.119.245.51:6882
109.173.101.19:19700
193.93.187.234:1214
176.106.18.254:43469
176.183.137.53:19155
176.113.168.51:52672
93.123.60.130:52981
79.100.9.81:14053
91.124.125.16:29914
46.16.228.135:53473
95.61.55.234:22974
190.213.101.39:44376
58.173.158.99:50821
188.25.108.102:31047
95.153.175.173:15563
75.120.194.116:58001
61.6.218.126:63291
128.70.19.98:64296
5.167.193.5:25861
185.57.73.27:47892
109.205.249.105:58449
77.228.235.226:57715
2.62.49.161:49001
67.234.161.61:65228
91.243.100.237:40431
105.155.1.67:16084
73.34.178.71:41864
145.255.169.122:4612
92.241.241.4:61613
145.255.21.166:46596
83.253.71.148:34016
173.246.26.126:12988
79.181.115.213:43853
46.237.69.97:50772
86.159.67.146:48959
213.100.105.54:52147
178.45.129.126:45710
188.78.232.53:39336
70.82.20.41:11248
88.132.82.254:52722
85.198.154.126:35403
89.67.245.2:21705
95.76.128.209:36640
61.242.114.3:6383
79.112.156.169:10236
95.25.111.173:40781
108.36.82.254:57393
88.8.84.79:56740
118.36.49.220:59561
60.197.149.187:12996
86.26.224.104:39597
120.61.161.250:10023
151.249.239.173:6881
86.178.212.41:28489
95.180.244.144:48245
111.171.83.212:52952
122.164.99.166:1024
201.110.110.63:19314
79.100.52.144:54312
194.219.103.45:24008
178.89.171.19:10003
124.12.192.197:6881
92.96.186.112:31100
207.216.138.62:6881
194.8.234.230:51413
92.220.24.133:6881
2.134.203.233:6881
122.169.237.54:17407
36.232.153.137:16001
130.43.123.202:45689
86.73.45.54:56161
37.215.93.59:27997
78.154.164.176:42780
5.10.134.6:50452
98.176.222.50:61000
93.54.90.126:1189
220.81.46.201:51526
39.41.111.173:7702
41.111.41.122:19132
211.108.64.209:20728
178.66.212.41:14865
182.187.103.45:57751
118.41.230.79:52520
186.155.231.45:34294
109.174.113.128:15947
188.6.88.229:16785
99.247.58.79:23197
94.137.237.54:14617
197.203.129.67:10204
5.107.65.67:21618
117.194.114.71:64476
94.153.45.54:32715
2.176.158.50:17404
5.18.178.71:50971
78.130.212.41:63075
86.121.45.54:55858
109.187.1.67:15413
108.199.125.160:38558
83.181.18.121:15859
93.109.242.198:26736
95.86.220.68:27877
37.204.22.24:24146
198.203.28.43:17685

What's particularly interesting, about this campaign, is the fact, that, the Terms of Service (ToS) presented to gullible and socially engineered end users, refers to a well known Web site (jmobi.net), directly connected with the market leading DIY API-enabled mobile malware generating/monetization platform, extensively profiled in a previously published post.

As cybercriminals continue to achieve a cybercrime-ecosystem wide standardization, we'll continue to observe an increase in fraudulent activity, with the cybercriminals behind it, continuing to innovate, on their way to achieve efficient monetization schemes, and risk-forwarding centered fraudulent models, further contributing to the adaptive innovation to be applied to the current TTPs (tactics, techniques and procedures) utilized by them. Continue reading →

Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe's Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of "offering what's not being offered in general", next to hosting the rogue files on legitimate service providers -- Google Docs and Dropbox in this particular case -- the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let's dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign's GA Account ID: UA-12798017-1

Domain name reconnaissance:
wh0prof.uni.me - 192.157.201.42

Known to have responded to the same IP are also the following domains:
cracks4free.info
pr0lotra.p9.org

Google Docs Hosted PUA URLs:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqUjllLWc4MVFRQUk&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

Dropbox Firefox Add-on/Android APK Hosted URLs:
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi

Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4.

Time to (conservatively) assess the campaign's damage over the year(s):

The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.

The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook's users into thinking that they can eventually see who's viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends' Walls, are advised to consider reporting the campaign back to Facebook, immediately. Continue reading →

Fake Chrome/Firefox/Internet Explorer/Safari Updates Expose Users to Android Malware

A currently ongoing malicious campaign using compromised sites as the primary traffic acquisition tactic, is attempting to socially engineer users (English and Russian speaking) into thinking that they're using an outdated version of their browser, and need to apply a bogus (security/antivirus) update. In reality though, the update is a variant of Trojan:Android/Fakeinst.EQ/Android.SmsSend.

Sample screenshots of the fake browser update landing pages:

Social engineering redirection chain: hxxp://france-leasebacks.com/includes/domit/1.php -> hxxp://advertcliks.net/ir/28/1405/56e9ca1335c2773445a79d5ddf75a755/ (93.115.82.239; Email: maxaxaha@gmail.com) -> hxxp://newupdateronline.org (109.163.230.182; Email: vbistrih@yandex.com).

Known to have responded to 109.163.230.182 are also the following domains:
1mc8.asia
anglecultivatep.in
appallinglyndiscoveries.in
bilious-6biros.in
boathire.pw
cvwv87.pro
dlsdcncnew1.pw
efuv77.pro
familye-perspex.in
farting-meagre.in
flvupdate.in
fringeclamberedk.in
hopefully-great8.in
investment-growsa.asia
money-tree.pw
moon-media.pw
moontree.pw
mountainlake.pw
movingv-relation.in
new-updateronline.org

Sample Android samples pushed by the campaign:
MD5: da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 out of 46 antivirus scanners as Android.SmsSend.809.origin; Android.Trojan.FakeInst.HE
MD5: 1e1f57f6c8c9fb39da8965275548174f - detected by 17 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b0f597636859b7f5b2c1574d7a8bbbbb - detected by 13 out of 47 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b40aebc327e1bc6aabe5ccb4f18e8ea4 - detected by 16 out of 48 antivirus scanners as Android:FakeIns-AF; Trojan:Android/Fakeinst.EQ

All samples phone back to dlsdcncnew.net (109.163.230.182; Email: constantin.zawyalov@yandex.ru). Responding to the same IP is also newapk-flv.org.

The same email is also known to have been previously used to register the following domains:
downloader8days.in
open-filedownload4.in (known to have responded to 188.95.159.30)
upweight.in
bestnewbrowsers.in
bestowedcomedyb.org (known to have responded to 109.163.230.180)
expandload.in
2012internet-load.in
4interfilefolder.in
99030.in
admitted-6crept.org
rufileserver.in

It appears that the traffic is not segmented -- to affect mobile device users only -- at any point of the redirection chain, an indication of what I believe is a boutique cybercrime-friendly operation. In comparison, the relatively more sophisticated ones would segment the traffic, usually acquired through the active exploitation of tens of thousands of legitimate Web sites, or the direct purchase of segmented mobile traffic.

Interestingly, both novice players in this market segment, and the experienced ones, are implementing basic evasive tactics, such as, for instance, the need to provide a valid mobile number, where a potential victim will receive a confirmation code for accessing the inventory of rogue games and applications, thereby preventing automatic acquisition of the apps for further analysis.

Moreover, providing a valid mobile number to the cybercriminals behind the campaign, is naturally prone to be abused in ways largely based on the preferences of those who obtained them through such a way, therefore users are advised not to treat their mobile number in a privacy conscious way.

Updates will be posted as soon as new developments take place. Continue reading →

A Peek Inside a Customer-ized API-enabled DIY Online Lab for Generating Multi-OS Mobile Malware

The exponential growth of mobile malware over the last couple of years, can be attributed to a variety of 'growth factors', the majority of which continue playing an inseparable role in the overall success and growth of the cybercrime ecosystem in general.

Tactics like standardization, efficiency-oriented monetization, systematic bypassing of industry accepted/massively adopted security measures like signatures-based antivirus scanning, affiliate networks helping cybercriminals secure revenue streams for their malicious/fraudulent tactics, techniques and procedures (TTPs), as well as pseudo legal distribution of deceptive software -- think scaware with long EULAs and ToS-es -- as well as mobile applications -- think subscription based premium rate SMS malware with long EULAs and ToS-es -- continue dominating the arsenal of tactics that any cybercriminal aspiring the occupy a market share in any market segment within the cybercrime ecosystem, can easily take advantage of in 2013.

What has changed over the last couple of years, in terms of concepts? A lot. For instance, back in 2007, approximately one year after I (publicly) anticipated the upcoming and inevitable monetization of mobile malware, the Red Browser started making its rounds, proving that I was sadly wrong, and once again, money and greed -- or plain simple profit maximization to others -- would play a crucial role in this emerging back then, cybercrime ecosystem market segment for mobile malware. Similar monetization attempts on behalf of cybercriminals, then followed, to further strengthen the ambitions of cybercriminals into this emerging market segment.

With "malicious economies of scale" just starting to materialize at the time, it didn't take long before the concept started getting embedded into virtually each and every cybercrime-friendly product/service advertised on the market. Thanks to Symbian OS dominating the mobile operating system at the time, opportunistic cybercriminals quickly adapted to steal a piece of the pie, by releasing multiple Symbian based malware variants. Sharing is caring, therefore, here are some MD5s from the Symbian malicious code that used to dominate the threat landscape, back then.

Symbian OS malware MD5s from that period of time, for historical OSINT purposes:
MD5: a4a70d9c3dbe955dd88ea6975dd909d8
MD5: 98f7cfd42df4a01e2c4f2ed6d38c1af1
MD5: 6fd6b68ed3a83b2850fe293c6db8d78d
MD5: 38837c60e2d87991c6c754f8a6fb5c2d
MD5: ace9c6c91847b29aefa0a50d3b54bac5
MD5: 3f1828f58d676d874a3473c1cd01a431
MD5: 2163ef88da9bd31f471087a55f49d1b1
MD5: 0a04f6fed68dec7507d7bf246aa265eb
MD5: ad4a9c68f631d257bd76490029227e41
MD5: 7a4639488b4698f131e42de56ceeb45d
MD5: fa3de591d3a7353080b724a294dca394
MD5: 5ba5fad8923531784cd06a1edc6e0001
MD5: 66abbd9a965b2213f895e297f40552e5
MD5: 92b069ef1fd9a5d9c78a2d3682c16b8f
MD5: a494da11f47a853308bfdb3c0705f4e1
MD5: 9f38eff6c58667880d1ff9feb9093dcb
MD5: a8a3ac5f7639d82b24e9eb4f9ec5981c
MD5: 0ebc8e9f5ec72a0ff73a73d81dc6807d
MD5: a3cd8f8302a69e786425e51467ad5f7c
MD5: 38837c60e2d87991c6c754f8a6fb5c2d
MD5: 522a8efdc382b38e336d4735a73e6b23
MD5: 052abb9b41f07192e8a02f0746e80280
MD5: 712a1184c5fc1811192cba5cc7feda51
MD5: bdae8a51d4f12762b823e42aa6c3fa0a
MD5: aec4b95aa8d80ee9a57d11cb16ce75ba
MD5: 6b854f2171cca50f49d1ace2d454065a
MD5: 945279ce239d2370e4a65b4f109b533b
MD5: cde433d371228fb7310849c03792479e
MD5: 957265e799246225e078a6d65bde5717
MD5: cde433d371228fb7310849c03792479e
MD5: 1f1074b709736fe4504302cbc06fd0f6
MD5: 1cd241a5ea55eb25baf50af25629af27
MD5: 60d9a75b5d3320635f9e33fe76b9b836
MD5: e23f69eea5fa000f259e417b64210d42
MD5: 36503b8a9e2c39508a50eb0bdbb66370
MD5: 1f1074b709736fe4504302cbc06fd0f6
MD5: da13e08a8778fa4ea1d60e8b126e27be
MD5: 642495185b4b22d97869007fcbc0e00f
MD5: 9af5d82f330bbc03f35436b3cc2fba3a
MD5: 6099516a39abb73f9d7f99167157d957
MD5: 6c75b3e9bf4625dc1b754073a2d0c4f1
MD5: e23f69eea5fa000f259e417b64210d42
MD5: ffb37b431ed1f0ac5764b57fa8d4cced
MD5: 1cd241a5ea55eb25baf50af25629af27
MD5: b3055e852b47979a774575c09978981a
MD5: 9f38eff6c58667880d1ff9feb9093dcb
MD5: 945279ce239d2370e4a65b4f109b533b
MD5: 66a0bbebbe14939706093aa5831b53a7
MD5: 30a2797f33ecb66524e01a63e49485dd
MD5: 785e921ea686c2fc8514fac94dd8a9cd
MD5: 69a68bdcbad227d5d8d1a27dd9c30ce7
MD5: f246b101bc66fe36448d0987a36c3e0a
MD5: 4fd086a236c2f3c70b7aa869fa73f762
MD5: 642495185b4b22d97869007fcbc0e00f
MD5: fd8b784df4bbb8082a7534841aa02f0e
MD5: 3ee70d31d0a3b6fab562c51d8ff70e6d
MD5: 3381d21f476d123dcf3b5cbc27b22ae1
MD5: 006b32148ce6747fddb6d89e5725573e
MD5: 7a4639488b4698f131e42de56ceeb45d
MD5: b9667e23bd400edcafde58b61ac05f96
MD5: 12527fd41dd6b172f8e28049011ebd05
MD5: c9baecb122bb6d58f765aaca800724d2
MD5: 799531e06e6aa19d569595d32d16f7cc
MD5: e301c2135724db49f4dd5210151e8ae9
MD5: 29d7c73bd737d5bb48f272468a98d673

In 2013, we can easily differentiate between the botnet building type of two-factor authentication bypassing mobile trojans, and the ubiquitous for the market segment, subscription based premium rate SMS malware, relying on deceptive advertising and successful 'visual social engineering' campaigns. The second, continue getting largely monetized through one of the primary growth factors of the mobile market segment, namely, affiliate networks for mobile malware.

In this post, I'll profile what can be best described as a sophisticated, customer-ized, customization and efficiency oriented, API-supporting, DIY mobile "lab" for generating, managing and operating multi-mobile-operating systems type of mobile malware campaigns. The service's unique value proposition (UVP) in comparison to that of competing "labs" for managing, operating and converting mobile traffic -- acquisition and selling of mobile traffic is a commoditized underground market item in 2013 -- orbits around the feature rich interface, offering 100% customization, monitoring and generally operating the campaigns, while efficiently earning fraudulently obtained revenue from unsuspecting mobile device users.

Sample screenshots featuring the administration panel of an affiliate network participant:

Sample "system" domains used for hosting/rotating the generated mobile malware samples courtesy of the service:
jmobi.net - 91.202.63.75
omoby.net - 91.202.63.75
rrmobi.net - 91.202.63.75
moby-aa.ru - 91.202.63.75
mobyc.net - 91.202.63.75
mobi-files.com - 91.202.63.75
mobyw.net - 91.202.63.75
mobyy.net - 91.202.63.75
mobyc.net - 91.202.63.75
mobyz.net - 91.202.63.75

Known to have responsed to the same IP are also the following malicious domains:
doklameno1.ru
doklameno2.ru
downloadakpinstall.ru
mobiy.net
moby-aa.ru
moby-ae.ru
mobyc.net
mobyw.com
mobyw.net
mobyy.net
mobyz.net
omoby.net
rrmobi.net
system-update.ru
telefontown.pp.ua

Sample Web sites serving multi-mobile-operating-system premium rate mobile malware, relying on the service:

Samples generated and currently distributed in the wild using the service:
MD5: ac69514f9632539f9e8ad7b944556ed8 - detected by 15 out of 48 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Stealer.a
MD5: e62f97a095ca15747bb529ee9f1b5057 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 0688dac2754cce01183655bbbe50a0b1 - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 4062a77bda6adf6094f4ab209c71b801 - detected by 2 out of 44 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 42a6cf362dbff4fd1b5aa9e82c5b7b56 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 3bcbe78a2fa8c050ee52675d9ec931ad - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 53d3d35cf896938e897de002db6ffc68 - detected by 2 out of 47 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 2f66735b37738017385cc2fb56c21357 - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 0ec11bba4a6a86eb5171ecad89d78d05 - detected by 2 out of 47 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 9f059c973637f105271d345a95787a5f - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: f179a067580014b1e16900b90d90a872 - detected by 2 out of 47 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: aef4f659943cbc530e4e1b601e75b19e - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 8a00786ed6939a8ece2765d503c97ff8 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 868fcf05827c092fa1939930c2f50016 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: a6ef49789845ed1a66f94fd7cc089e1b - detected by 2 out of 47 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 22aa473772b2dfb0f019dac3b8749bb6 - detected by 2 out of 45 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: 52b74046d0c123772566d591524b3bf7 - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX
MD5: bbff61a2e3555a6675bc77621be19a73 - detected by 2 out of 46 antivirus scanners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX

Cybercrime-friendly affiliate networks continue, and will continue to represent a major driving factor behind the growth of any market segment within the cybercrime system, as they result in a win-win-lose scenario for their operations, participants and the potential victims of the fraudulent/malicious propositions/releases courtesy of these networks.

With mobile traffic acquisition available on demand based on any given preference a potential could have, cybercriminals would continue converting it into victims, cashing in on their overall lack of awareness of the TTPs of today's modern cybercriminals.

Updates will be posted as soon as new developments take place. Continue reading →

Rogue iFrame Injected Web Sites Lead to the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake Mobile Malware

A currently ongoing malicious campaign relying on injected iFrames at legitimate Web sites, successfully segments mobile traffic, and exposes mobile users to fraudulent legitimately looking variants of the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake mobile malware.

Let's dissect the campaign, expose the domains portfolio currently/historically known to have been involved in this campaign, as well as list all the malicious MD5s known to have been pushed by it.

iFrame injected domains containing the mobile traffic segmentation script parked on the same IP:
asphalt7-android.org - 93.170.109.193
fifa12-android.org
gta3-android.org
fruit-ninja-android.org
wildblood-android.org
osmos-android.org
moderncombat-android.org
minecraft-android.org
googlanalytics.ws
getinternet.ws
ddlloads.com
googlecount.ws
opera-com.com
opgrade.ws
statuses.ws
ya-googl.ws
yadirect.ws
yandex-google.ws

Sample mobile malware MD5s pushed by the campaign:
MD5: e77f3bffe18fb9f5a1b1e5e6a0b8aaf8
MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2
MD5: 9348b5a13278cc101ae95cb2a88fe403
MD5: f4966c315dafa7e39ad78e31e599e8d0
MD5: 6f839dd29d2c7807043d06ba19e9c916
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Phone back location: hxxp://depositmobi.com/getTask.php/task=updateOpening&s= - 93.170.107.130

Parked on the same IP (93.170.107.130) are also the following domains participating in the campaign's infrastructure:
123diskapp.com
1gameminecraft.ru
2010mobile.ru
absex.ru
ammla.info
and4mobiles.ru
android-apk-file.ru
android-games-skachat.ru.com
android-key.ru
android-market-apk.ru
android-market-cools.ru
android-vk.com
android7s.ru
androidcool.tk
androiderus.com
androidnns.ru
androidone.net
androidperfomance.com
androids-market.ru
androidupos.ru
24-android.ru
online-android.ru
moiandroid.ru
ktozdesj.ru
super-androids.ru

The following malicious mobile malware MD5s are known to have phoned back to the same IP in the past:
MD5: 572b07bd031649d4a82bb392156b25c6
MD5: 9685ff439e610fa8f874bf216fa47eee
MD5: 6d9dd3c9671d3d88f16071f1483faa12
MD5: 276b77b3242cb0f767bfba0009bcf3e7
MD5: aefdbdee7f873441b9d53500e1af34fa

What's also worth emphasizing on is that we've also got a decent number of malicious Windows samples known to have phoned back to the same IP in the past, presumably in an attempt by fellow cybercriminals to monetize the traffic through an affiliate program.
MD5: bac8f2c5d0583ee8477d79dc52414bf5
MD5: a1ae35eadf7599d2f661a9ca7f0f2150
MD5: 419fdb78356eaf61f9445cf828b3e5cf
MD5: abce96eaa7c345c2c3a89a8307524001
MD5: 93d11dc11cccc5ac5a1d57edce73ea07
MD5: 53bbad9018cd53d16fb1a21bd4738619
MD5: 15f3eca26f6c8d12969ffb1dbeead236
MD5: 72c6c14f9bab8ff95dbaf491f2a2aff6
MD5: a282b40d654fee59a586b89a1a12cac2
MD5: e0798c635d263f15ab54a839bf6bac7f
MD5: 7b1d8820cc012deac282fc72471310bd
MD5: 21fdbb9e9e13297ae12768764e169fb4
MD5: 47fa4a3a7d94dad9fac1cbdc07862496
MD5: 5e9321027c73175cf6ff862019c90af7
MD5: cfbaccc61dc51b805673000d09e99024
MD5: 8bc4dd1aff76fd4d2513af4538626033
MD5: f6a622f76b18d3fa431a34eb33be4619
MD5: c068d11293fc14bebdf3b3827e0006ac
MD5: d68338a37f62e26e701dfe45a2f9cbf2
MD5: e1c9562b6666d9915c7748c25376416f
MD5: 1dccd14b23698ecc7c5a4b9099954ae4
MD5: 47601e9f8b624464b63d499af60f6c18

Actual download location of a sample mobile malware sample:
hxxp://mediaworks3.com/getfile.php?dtype=dle&u=getfl&d=FLVPLayer - 78.140.131.124

The following mobile malware serving domains are also known to have responded to the same IP (78.140.131.124) in the past:
4apkser.ru
absex.ru
agw-railway.com
androedis.ru
android-apk-file.ru
android-update.name
android6s.ru
android7s.ru
androidappfile.name
androidaps.ru
androidbizarre.com
androidilve.ru
androidovnloads.com
androidupss.ru
apk-load.ru
apkzona.ru
bali-special.ru
com-opera.com
dml-site.ru
download-opera.com

As well as the following malicious MD5s:
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Thanks to the commercial availability of DIY iFrame injecting platforms, the current commoditization of hacked/compromised accounts across multiple verticals, the efficiency-oriented mass SQL injection campaigns, as well as the existence of beneath the radar malvertising campaigns, cybercriminals are perfectly positioned to continue monetizing mobile traffic for fraudulent/malicious purposes.

Updates will be posted as soon as new developments take place. Continue reading →