Android NotCom malware resurfaces (with improvements)

filed under malware, Mobile.

Almost a year ago we reported the emergence of Android “NotCom” malware.  Much of the malware was distributed in email links sent from compromised email accounts.  What was notable then was the use of the same link to direct users to different destinations based on the visiting device.  PC or iOS users were sent to a diet scam site while Android users were singled out with a malware download. 

The method and the malware package “security.update.apk” have recently resurfaced.  Once again non-Android users are sent to a diet scam page (touting garcinia cambogia).

  Android malware notcom 2014 PC user diet scam


Malware Analysis

This year’s version is very similar to the NotCom.A that spread a year ago but is more sophisticated, featuring encryption and a P2P function. Some vendors refer to the malware as Nioserv.

The malware creates a service that runs in the background called “”. Going through the code it seems like it creates a proxy and is then used as a P2P client. All the data that it sends out is encrypted. Our AV lab did a test to see how much data was being sent and received by the malware and it turns out quite a lot. There was no service that connects to the internet running on the phone except for the malware “” and after 15 minutes it had transmitted almost 1 mb of data – that’s 96 MB in 24 hours!

Android malware notcom 2014 sceen2

Then we opened a webpage that used 0.83 mb and the malware doubled that amount of data right away. So data usage could get very expensive for mobile Internet users. And of course all browsing is going through some proxy server.

The main address that the malware is connecting to is “″ which is a private IP address. This appears to be the P2P service of the malware. By sniffing the packages from “″ we saw lots of different addresses.

Android malware notcom 2014 P2P addresses

As a result of the encryption we can only speculate as to the purpose of the malware.  It seems likely that it could steal device and user data and, as with last year’s, may be part of some Android botnet.

Trouble in Europe – SEPA-Phishing-Alert

filed under Data & Research, phishing.


European internet mailboxes are being flooded by fake emails. The reason is a change in the European money transfer system. National bank transaction rules will soon be replaced by unified rules for all European citizens. The new system is called SEPA – Single Euro Payments Area. In the future it will be more difficult to see who is transferring money to your bank account and vice versa, who received money from you because the details of the person or bank that did the transfer will be converted to a number. Implementing the new system has been delayed many times and will affect a large number of account owners. All in all, it is a pretty big mess and an ideal situation for phishing attacks.

CYREN’s GlobalView™ Security Lab (GSL) has discovered several emails sent in the name of different European bank institutes asking for personal and secure data like TAN number. The spammers copy parts of the bank’s original HTML page and add a form for the phished data

  Fake website with an original part a phishing form

 Fake website with an original part a phishing form

Increase in Extra Income and Work at home Scam Mailings

filed under Data & Research, Miscellaneous, Spam.



CYREN’s GlobalView™ Security Lab (GSL) has detected a huge increase in spam over the last few days with the share of spam approaching 90% of all email traffic. In comparison the average spam share in January 2014 was 75%. After analyzing the traffic it became clear that one campaign was behind the increase. The subject lines include:

“BREAKING NEWS: Special Report”

“BREAKING NEWS: It’s hard to believe, but…”.

Always Ahead of the Threat with CYREN’s GlobalView™ Security Center

filed under malware, Mobile, phishing, Web Security, Zombies/Botnets.

CYREN Security Center - World Map

CYREN, previously operating as Commtouch® (NASDAQ: CTCH), today announced access to the CYREN Security Center, which gives the industry online insight to the latest global trends in Internet security at


As a leading global information security company relied upon by the world’s largest service providers and software vendors for Web, email, and mobile protection, CYREN presents its Security Center as part of its effort to further expand the visibility into its powerful GlobalView™ Security Cloud, the most robust malware transaction base in the industry.


 Global Trends

Based on this extensive GlobalView cloud infrastructure, the online Security Center shows the full scope of global Web, email and mobile threats, featuring a homepage map that illustrates the reach of malware, phishing and spam – such as new malware sites in Chile, new Android malware detected in Cambodia, and new spam domains in Taiwan.

90-Day Spam Campaign Turns to Santa in December – Commtouch Security Number of the Month

filed under CYREN Security Number of the Month.

Today the Commtouch Security Lab (CSL) published its Security Number of the Month for December:  Ninety days ago a substantial spam campaign focusing on dubious offers and fake prizes began. However since December 10, the campaign has been thematically recycled and sent as a Christmas themed email, featuring subjects such as “Letter from Santa For Your Child.”

Number of the Month December 2013.