SMS-controlled Android malware records calls

Researchers at NQ Mobile Security have discovered a new piece of Android malware that receives instructions, i.e. is controlled, via SMS.

Dubbed TigerBot, the Trojan hides by not showing any icon on the home screen and takes the names and icons of popular and common Google and Adobe apps like "Flash" or "System" in order to blend in with the legitimate apps installed on the phone.

"In order to receive remote commands, it registers a receiver with a high priority to listen to the intent with action 'android.provider.Telephony.SMS_RECEIVED'," point out the researchers. "As a result, it can receive and intercept incoming SMS messages before others with lower priorities."

The capabilities of the malware include: recording phone calls, changing network settings, uploading the current GPS location, capturing and uploading images, sending text messages to a particular number (but, it seems, not a premium service one), rebooting the phone and killing other running processes. Still, not all the actions are always effective.

So far, the Trojan hasn't been detected being offered on Google Play (the former Google’s Android Market), but only on third-party online marketplaces.

The researchers urge users to always be careful when downloading new apps.

"Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading," they say.

Polymorphic Facebook scam targets users

An insidious scam that can result in multiple malware downloads is currently targeting Facebook users, warns Bitdefender.

It starts rather predictably, as users inadvertently share links to a supposedly leaked pornographic video. If their friends follow the link, they are faced with a request to download a Divx plugin in order to watch the video:


"The page recommending users to install the missing plugin features several other elements to encourage users to keep clicking," points out Bitdefender.

"The video’s name hints that the sex tape belongs to a celebrity; the warning that the user’s antivirus must be disabled works on reverse psychology: though prospective viewers know this action is risky, they do it precisely because they have been warned about it; and the reference to age verification further hints at the salaciousness of the video."

When run, the downloaded "Extension YouTube" immediately changes all newly opened tabs to a page advertising an adult chat service, then leads the user to to another page that supposedly hosts the video the users wanted to check out in the first place.

But, now the users are asked to download another piece of software - the "7pic Video Premium Player".

Unfortunately for them, it's another bogus extension that allows the scammers to access hijack the users' account by accessing the needed cookie information and propagate the scam further.

“This is an interesting and quite complex type of scam," says Andrei Serbanoiu, Bitdefender Online Threats Analyst Programmer.

"In data security lingo, this would qualify as a polymorphic attack, which basically means that the malicious content served can be changed by the attacker thanks to the browser extension installed. If one user lands on the adult chat page, another may reach the malware downloader or even a whole different web page set up for phishing.

Instagram users targeted with spam

It's almost a given that any social service, network or app that attracts a large number of users will eventually be facing the spam and scam problem.

It happened to Facebook, Twitter, YouTube, Pinterest and many others, and Instagram - the popular photo sharing application and the network of users that grew up around it - is no exception.

Symantec researcher Satnam Narang shared the example of a spam campaign that he encountered when a user commented on a photo of his, saying that the Best Buy was giving away $100 gift cards for free to Instagram users.

The offered shortened link takes the users to a page where they are asked to input their cell phone number in order to win the card, and only if they scroll all the way down will they be able to notice the fine print saying that prior to qualifying for their prize they will be presented with optional third party offers, and that they need not to complete the offers in order to qualify.

The third party "offers" look like this, and is not really clear what exactly they are offering:


Notice that the offers can be skipped without inputing the information, but the links to do so are difficult to notice as they are small text links put in the upper right corner and designed to blend in with the background.

The collected information is likely to be used for future spamming, but it's likely that users have also unknowingly agreed to subscribe to a pricy service.

"If you have given your cell phone number up during one of these scams, be sure to check your next phone bill to see if there are any unwanted charges on it for some kind of subscription service," says Narang.

He also advises users to report these type of offers by clicking on the wheel icon in the top-right corner of their Instagram profile and reporting the user that posted them.

As we haven't seen an overwhelming amount of spam hitting Instagram users, I guess that some of the changes the service has introduced do work.

Apple patches critical Java flaw

This update comes almost two months after the release of the corresponding Java version by Oracle, and only a couple of days after evidence surfaced that malware authors have been using an included Java flaw (CVE-2012-0507) to attack Mac computers.

Our recommendation: apply the update as quickly as possible.

In addition, Mac users and IT admins for Macs should review whether Java is actually needed for their usage. If not Java can be disabled through the Java Preferences program, just uncheck both 64-bit and 32-bit versions.


Alternatively you can use Google Chrome which has a dialog each time you use a site that uses Java plugins. With the right discipline this can be a very effective measure to avoid attacks.

Yesterday Mozilla included Java in its "blocklisting" approach for Firefox. "Blocklisting" forbids running outdated plug-ins, unless specific approval is given. Unfortunately, this is exclusive for Windows at the moment and is not available on the Mac yet.

Searching for Easter eggs leads to malware

Blackhat SEO is a popular tactic for malware peddlers to distribute their wares to unsuspecting victims, and the weeks before major holidays are always a perfect time for poisoning search results for search terms tied to them.

Easter is a couple of days away, and since gifting chocolate Easter eggs and thematically decorating homes is a big part of the celebration, it's no wonder that the results for typically innocuous search terms like "chocolate", "easter eggs" or "decorating tips easter secrets" include malicious ones.

According to Sophos, when those last two search terms are combined, the very first result leads users to be infected with a fake AV variant by the name of "Windows Care Taker":

The malware feigns to have discovered a massive infection, and in order to clean the computer asks the victim to purchase the full version:


"The reason why SEO attacks are successful, is that all of us tend to trust search engine results," says Sophos' Fraser Howard.

To prevent bad things to result from this tendency, he advises installing a reputable security product; using plug-ins that hide or modify the referrer that tells the page that one has landed on it via a search engine; and looking critically at the URL of the page before clicking on it, as most of the time the domain looks completely unrelated to the topic.