Almost a year ago we reported the emergence of Android “NotCom” malware. Much of the malware was distributed in email links sent from compromised email accounts. What was notable then was the use of the same link to direct users to different destinations based on the visiting device. PC or iOS users were sent to a diet scam site while Android users were singled out with a malware download.
The method and the malware package “security.update.apk” have recently resurfaced. Once again non-Android users are sent to a diet scam page (touting garcinia cambogia).
This year’s version is very similar to the NotCom.A that spread a year ago but is more sophisticated, featuring encryption and a P2P function. Some vendors refer to the malware as Nioserv.
The malware creates a service that runs in the background called “com.security.patch”. Going through the code it seems like it creates a proxy and is then used as a P2P client. All the data that it sends out is encrypted. Our AV lab did a test to see how much data was being sent and received by the malware and it turns out quite a lot. There was no service that connects to the internet running on the phone except for the malware “com.security.patch” and after 15 minutes it had transmitted almost 1 mb of data – that’s 96 MB in 24 hours!
Then we opened a webpage that used 0.83 mb and the malware doubled that amount of data right away. So data usage could get very expensive for mobile Internet users. And of course all browsing is going through some proxy server.
The main address that the malware is connecting to is “172.16.1.5″ which is a private IP address. This appears to be the P2P service of the malware. By sniffing the packages from “172.16.1.5″ we saw lots of different addresses.
As a result of the encryption we can only speculate as to the purpose of the malware. It seems likely that it could steal device and user data and, as with last year’s, may be part of some Android botnet.
–BY FRANK RICKERT–
European internet mailboxes are being flooded by fake emails. The reason is a change in the European money transfer system. National bank transaction rules will soon be replaced by unified rules for all European citizens. The new system is called SEPA – Single Euro Payments Area. In the future it will be more difficult to see who is transferring money to your bank account and vice versa, who received money from you because the details of the person or bank that did the transfer will be converted to a number. Implementing the new system has been delayed many times and will affect a large number of account owners. All in all, it is a pretty big mess and an ideal situation for phishing attacks.
CYREN’s GlobalView™ Security Lab (GSL) has discovered several emails sent in the name of different European bank institutes asking for personal and secure data like TAN number. The spammers copy parts of the bank’s original HTML page and add a form for the phished data
Fake website with an original part a phishing form
– BY FRANK RICKERT –
CYREN’s GlobalView™ Security Lab (GSL) has detected a huge increase in spam over the last few days with the share of spam approaching 90% of all email traffic. In comparison the average spam share in January 2014 was 75%. After analyzing the traffic it became clear that one campaign was behind the increase. The subject lines include:
“BREAKING NEWS: Special Report”
“BREAKING NEWS: It’s hard to believe, but…”.
CYREN, previously operating as Commtouch® (NASDAQ: CTCH), today announced access to the CYREN Security Center, which gives the industry online insight to the latest global trends in Internet security at www.CYREN.com/security-center.
As a leading global information security company relied upon by the world’s largest service providers and software vendors for Web, email, and mobile protection, CYREN presents its Security Center as part of its effort to further expand the visibility into its powerful GlobalView™ Security Cloud, the most robust malware transaction base in the industry.
Based on this extensive GlobalView cloud infrastructure, the online Security Center shows the full scope of global Web, email and mobile threats, featuring a homepage map that illustrates the reach of malware, phishing and spam – such as new malware sites in Chile, new Android malware detected in Cambodia, and new spam domains in Taiwan.
Today the Commtouch Security Lab (CSL) published its Security Number of the Month for December: Ninety days ago a substantial spam campaign focusing on dubious offers and fake prizes began. However since December 10, the campaign has been thematically recycled and sent as a Christmas themed email, featuring subjects such as “Letter from Santa For Your Child.”