g data malware report half-yearly report january – june 2012...for years, the malware market has...

G Data Malware Report

Half-yearly report January – June 2012 G Data SecurityLabs

Copyright © 2012 G Data Software AG 1

G Data Malware Report 1/2012

Contents

At a glance ............................................................................................................................................ 2

Malware: facts and figures .................................................................................................................. 3

High and low tide .......................................................................................................................................................... 3

Categories: spyware is very much on the rise ..................................................................................................... 3

Platforms: >>Windows rules!<< .............................................................................................................................. 5

Android malware: when is the deluge going to arrive? .................................................................................. 6

Is there much of a risk for Mac OS X? ..................................................................................................................... 7

Risk monitor ......................................................................................................................................... 9

Website analyses ................................................................................................................................ 11

Categorisation by topic ........................................................................................................................................... 11

Categorisation by server location ........................................................................................................................ 13

Online banking ................................................................................................................................... 14

Mobile malware .................................................................................................................................. 16



At a glance • The number of new malware types has increased to 1,381,967. However, the growth since

the last half of 2011 was merely 3.9%.

• In particular the spyware category has recorded growth, making it the second biggest category now.

• The number of new downloaders and backdoors is also on the rise, indicating that existing botnets are maintained.

• The share of Windows malware has increased to 99.8%.

• 25,611 new Android malware files have arrived in the G Data SecurityLabs.

• Some banking Trojans exhibit new attack schemes but Sinowal is still top-ranked.

• All areas show that attackers want to make as much profit as possible with as little effort as possible.

Events • Some people in the ZeuS/SpyEye and also Carberp environment were targeted by

investigators.

• In May 2012, the complex Flame malware code caused a stir and, after Stuxnet and Duqu, attracted a lot of attention in targeted cyber-spy malware circles.

• "Operation Ghost Click": DNSChanger malware infected computers around the globe and thus caused those affected by it to experience Internet connection problems.

• Popular messenger WhatsApp for smartphones made negative headlines because any data sent using Wi-Fi could be recorded.

Outlook for the second half of 2012

• The number of new malware types will not increase dramatically.

• New banking Trojans will appear and become even more professional.

• Android malware will get more sophisticated and the number of cases will continue to rise.

• Financially motivated malware will be adapted for the Mac OS platform.



Malware: facts and figures

High and low tide The number of new computer malware programs has been increasing continuously for years. That was also the case in the first half of 2012. Overall, 1,381,967 new malware program types1 have surfaced. That is a plus of 3.9% compared to the previous half-year and more than 11.0% more than in the year before. In the first half of the year, G Data SecurityLabs recorded 316 new malware types per hour, on average. There is no indication of a dramatic increase in the second half of the year. For 2012, we expect a slight increase compared to the previous year – we will probably not reach the 3 million malware types milestone.

Categories: spyware is very much on the rise Malware programs can be classified based on the malicious actions that they execute in an infected system. The most important categories are shown in Figure 2 . The activities of the spyware group include the recording of keystrokes, searching the system for passwords, access data for games, email portals and financial services providers as well as the manipulation of financial transactions. In the first half of 2012, its share has grown once again, and is now 17.4%. The number of spyware instances that target games login data has seen a particularly marked increase. The number of banking Trojans in the spyware category has risen by almost 14%. Online banking has established itself as a market in the underground economy. Spyware thus takes second place, after the group of Trojan horses, which covers many different malware functions.

1 The figures in this report are based on the identification of malware using virus signatures. They are based on similarities in the code of harmful files. Much malware code is similar and is gathered together into families, in which minor deviations are referred to as variants. Fundamentally different files form the foundation for their own families. The count is based on new signature variants, also called malware types, created in the first half of 2012.

Figure 1: Number of new malware programs per annum since 2006



The number of backdoors, downloaders and tools is also increasing. This shows that many computers are still being integrated into botnets. Downloaders ensure that malicious files are loaded onto the computer once it has been infected. Backdoors then make it possible to control the computers remotely and integrate them into a botnet. Tools are used to automatically spread infections, manage botnets or use zombie computers for criminal purposes such as the sending of spam.

The number of ransomware types, which belong to the group of Trojans, has also increased. These programs lock the computer or encrypt files and then use a variety of excuses to demand a ransom that is to be paid via uKash, paysafecard or another anonymous payment service. Popular purported reasons are missing Windows registrations, downloads of copyright protected files or use of illegal software. The request for payment is often underlined by abusing the name of an important

organisation. Police departments, Microsoft and organisations that enforce copyrights such as the GVU or GEMA often appear in this context.

Figure 2: Number of new malware programs per category in the last five six-month periods

Screenshot 1: Collection of locked screens from international ransom malware



For attackers the spreading of encryption Trojans and Fake AV malware is lucrative because the ransoms paid go directly to the attackers. They have no need to involve any middlemen (e.g. the so-called money mules) or to take any other action to get the booty. Experience has shown that most cyber criminals want to make as much money as possible with as little effort as possible. This applies to PC malware as well as for malware designed for mobile devices2.

Platforms: >>Windows rules!<< Computer programs are written for certain operating systems or work environments. This also applies to malware. Windows has had a large and growing share here for years; and things are no different in the first half of 2012. Malware for Windows3 has increased its share by another 0.2% to 99.8%. Most new malware still appears in the Windows environment. Malware on websites is currently in third place. Here, however, the signature-based count does not allow us to draw any clear conclusions regarding the number of new malware programs. Most of the web scripts have been and still are detected using generic signatures; hence, there is no need for new signatures that would appear as "new" in the statistics. The situation for mobile platforms and malware for Apple computers is similar. Here, the numbers in the "Risk monitor" section, page 9, are much more conclusive as they are based on actual attacks.

Platform

#2012 H1 Share #2011 H2 Share

Diff. #2012 H1 #2011 H2

Diff. #2012 H1 #2011 H1

1 Win 1,360,200 98.4% 1,305,755 98.2% +4.2% +11.7% 2 MSIL 18,561 1.4%4 18,948 1.4% -2.0% -14.6% 3 WebScripts 1,672 0.1% 2,402 0.2% -30.4% -46.5% 4 Java 662 <0.1% 244 <0.1% +171.3% +111.5% 5 Scripts5 483 <0.1% 626 <0.1% -22.8% -42.0%

Table 1: Top 5 platforms of the last two six-month periods

2 See the "Mobile malware" section, page 12. 3 For us, malware for Windows means executable files in PE format that are declared there for Windows or executed files created in Microsoft Intermediate Language (MSIL). MSIL is the intermediate format that is used in the .NET environment. Most .NET applications are platform independent but they are used almost exclusively on Windows computers. 4 At this point, a rounding error has been corrected, from the incorrect 1.3% to 1.4%. 5 "Scripts" are batch or shell scripts or programs that have been written in the VBS, Perl, Python or Ruby programming languages.



Figure 3: Distribution of samples with a clear date

Android malware: when is the deluge going to arrive? Different values can be used to count Android malware. One method of counting is based on the analysis of the number of new malicious files. In the first half of 2012, a total of 25,611 new malicious files6 arrived in the G Data SecurityLabs. Unfortunately, it is difficult to map the time distribution of the individual samples7 because we do not have the exact date on which the file was registered for the first time for each sample.8 Figure 3 shows the distribution of samples that could be clearly assigned to a date.

The files that could not be clearly assigned to a date usually come from collections that include malicious files from an extended period. If you evenly distribute these files to the preceding months9, this results in the distribution in Figure 4. According to this calculation, the number of new Android malware is increasing continuously.

Based on signatures10, the individual files can be assigned to certain families and their variants. The 25,611 malicious files can be mapped to 737 malware variants. The 737 malware variants are based on 217 malware families, 80 of which appeared in the last six months. Table 2 shows which families have the largest number of variants. 6 Android malware can be identified based on several files. The installation package (APK) contains numerous files, which include the code and the properties among other things. In this way of counting, detections for APK and their respective components are summarised to one malicious file, even if there are several files in our collection. 7 The term "samples" stands for malicious code files. Samples, also called random samples, are distinguished using their checksums. 8 53.1% of the malicious files could be assigned to an exact date. The assignment took place on 23 August 2012. 9 In the current calculation, a retrospective distribution over 6 months was carried out. 10 The count of signatures and variants is based on the signatures from the G Data MobileSecurity products.

Figure 4: Time distribution of samples after adjustment



We assume that the number of new malicious files as well as the number of new families will continue to rise because malware authors can invent new attack scenarios, which are then described in new families.

Is there much of a risk for Mac OS X? For years, the malware market has been dominated by malware for Windows. So far other platforms have not played much of a role, and they still don't. Windows users even had to suffer through mocking ad campaigns with sniffly Windows PCs. Now, however, it looks as though users of Apple's Mac OS X also have to take care of the health of their systems.

Over the last few years, only very few malware programs were discovered for Mac OS X. 2006 produced Leap, the first worm for Mac OS X. Leap sent itself to all contacts in iChat as a TGZ archive. Its reach remained very limited and, for a long time, Leap was the only malware for Mac OS. The year after that DNSChanger, a Trojan horse, appeared pretending to be a QuickTime codec and stealing personal data once it was installed. The tried and tested Windows social engineering trick has only found a few victims among Mac OS users so far.

In 2008, Mac OS computers experienced a first, small scareware wave with MacSweeper. In addition to outputting annoying messages, the malware demanded $39.99 to be paid by credit card. Spyware was also adapted for Mac OS X shortly thereafter (e.g. Hovdy). 2009 produced IService, a malware that pretended to be iWorks and integrated the computer into a botnet via a backdoor. Despite the spyware, backdoors and separate methods of spreading that were available by then, there continued to be few issues with Mac OS malware. At the start of 2010, the group that had very successfully spread the WinWebSec scareware under Windows started targeting Mac users. Products called MacDefender, MacSecurity and MacProtector are all very similar. There were introduced to the computers through manipulated Google search screens. Frequent appearances of porn sites were supposed to convince the Mac users that their PCs are infected and in need of protective software. According to insider reports, Apple's hotline was bombarded with enquiries. However, it took a while until instructions for removing the malware were provided. Another variant called MacGuard has the look and feel of Mac OS X programs and installed itself without querying a password.

In February 2012, the first variants of Mac malware Flashback were discovered. These variants exploit vulnerabilities in Java to infect users when visiting a website without the users noticing this.

Family # variants FakeInst 59 Jifake 50 OpFake 44

KungFu 39 BaseBridge 21 GinMaster 20

JSmsHider 15 RuFraud 15 Adrd 13

MobileSpy 13 Table 2: List of Android families with the most variants in H1 2012



Among other things, the malware integrated infected Macs into a botnet. In April, it was reported that more than 600,000 Mac computers – mostly those with the Snow Leopard operating system – were infected. For the first time ever, Apple published a special tool for removing the malware. Hence, malware has definitely arrived in the Mac universe.

The test period is over

This is no longer proof of concept malware! The underground is raring to go. Apple computers have just as many unpatched vulnerabilities and opportunities for exploiting these as their Windows counterparts.

Another sign of change in the malware realm for Mac computers is the fact that Apple has removed the slogans "It doesn’t get PC viruses" and "Safeguard your data. By doing nothing" from its company website and replaced them with "It's built to be safe" and "Safety. Built right in".11

Over the next few months, we are expecting more financially motivated malware to be ported to Mac OS X. Areas in which Windows and Mac OS intersect will be the first to be affected: social engineering and exploits that can be activated through websites and browsers.

11 http://www.huffingtonpost.co.uk/2012/06/25/apple-removes-claims-of-viruses_n_1624309.html



Risk monitor In the first half of the year 2012 there was another increase of attacks on G Data computer users with activated MII12 that were fended off.

Rank Name Percent

1 Trojan.Wimad.Gen.1 3.82%

2 Win32:DNSChanger-VJ [Trj] 1.33%

3 Exploit.CplLnk.Gen 0.76%

4 Worm.Autorun.VHG 0.67%

5 Trojan.Sirefef.BP 0.67%

6 Trojan.Sirefef.FZ 0.54%

7 Trojan.AutorunINF.Gen 0.54%

8 Win64:Sirefef-A [Trj] 0.36%

9 Trojan.Sirefef.BR 0.29%

10 Gen:Variant.Application.InstallCore.4 0.29%

Table 3: MII statistics for the first half of 2012

Let's first look at Trojan.Wimad.Gen.1, number 1 in the G Data MII top 10 of the first half of 2012. With almost 4% it is at the top of the charts and thus responsible for almost one in 26 detections by G Data customers. The malware that prompts users to download and install codes or programs that it claims are necessary for digital media files has been a fixture in the statistics for a long time.

The Autorun malware in 4th and 7th place as well as the exploit Exploit.CplLnk.Gen at number 3 are no newcomers to the statistics of defeated attacks either and were already mentioned in previous malware reports.

The highest-ranking newcomers in this list are the Trojan horses of the Sirefef family with their various components. It occupies a whopping four out of ten spots. This family is extremely versatile and its modular structure enables it to execute a wide range of attacks. Rootkit functions try to hide the malware code on the infected PC, which primarily alters the system files on the infected PC and manipulates search engine results in the web browsers in these cases. The intention behind this: The affected user is supposed to generate revenue for the attackers by clicking on the manipulated results (pay per click advertising). Sirefef is spread through web attacks using exploit kits (e.g. Blackhole or Crimepack), as well as emails with affected file attachments. Detections of malware of the Sirefef family are still on the rise and, according to observations by G Data SecurityLabs, Sirefef often brings with it a variant of a DNSChanger as payload. Win32:DNSChanger-VJ [Trj], which currently holds 2nd place in the top 10, deserves a special mention. In general however, the payload, i.e. the evil baggage, of a Sirefef dropper component can be any type of malicious code and is determined purely by the malware author's preferences.

12 The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that customers must activate this function in their G Data security solution. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. G Data SecurityLabs then collects and statistically assesses data on the malware.



It is notable that the number of adware malware has decreased significantly. In the first half of the year we merely saw Gen:Variant.Application.InstallCore.4 as a representative of the potentially undesired programs (or PUP for short) in the top 10. While the share of clearly identifiable attacks from adware malware fluctuated greatly in the second half of 2011, the last six months have shown a distinct downward trend of PUP attacks, particularly at a lower level, whereby the share of adware remained unchanged.13

13 See Figure 3

Figure 5: Share of potentially unwanted programs (PUP) detected by the Malware Information Initiative showing the share of adware



Website analyses

Categorisation by topic A grouping of detected malicious websites14 from the second half of 2011 by subject areas shows only minor changes compared to the previous period. The count does not distinguish between domains set up specifically for this purpose and legitimate sites that were manipulated.

Once again, the top five places are responsible for more than half of the classified domains and the entire top 10 add up to 70.7%, which basically covers the main subject areas for malicious websites, though coverage has dropped by 2.4% since H2 2011.

The two classifications education in 8th place and music in 10th place are new in the ranking.

They have replaced the subject areas file sharing services (previously ranked 5th) and health (previously ranked 7th). The fall in the number of malicious websites in the file sharing services sector could be related to legal steps taken against swap shops such as The Pirate Bay or against file sharing websites.

The entrant music appears in combination with the subject entertainment, which matches the rise of the values of malware Trojan.Wimad.Gen.1 in Table 2. Since, as mentioned above, the swapping of files on P2P networks is being increasingly targeted by the authorities, users employ other tactics to get the files they want. This includes downloading the files directly from websites, without special software. This then presents some well-known scenarios: The website can be infected and attack the user or the website contains manipulated files that install the malware on the computer when started. In addition, the website can also be a phishing trap, which queries all sorts of user data before the download.

The main explanation for the rise in websites classified as games (from 10th to 6th place) is the rise in malicious sites related to the classic game Starcraft. Sites on this topic were dominant in this area. The blog category has also risen in the ranks (from 8 to 4) and reminds us once again that mass attacks on blog systems are one of the most popular methods of attack. Irrespective of whether the 14 In this context, malicious websites include phishing sites as well as malware sites.



attackers are exploiting an existing vulnerability in the system or hack or steal the access password: As soon as they have access the blog and its visitors are exposed to attacks.

Conclusion The analysis of the affected subject areas clearly shows that there is always a risk of infection at any time, and that it can happen to anyone! In particular the risk in the blog subject category shows that cyber attackers try to maximise the damage they cause with as little effort as possible and try to reach a large number of potential victims. Mass attacks on blog management systems with security vulnerabilities are popular and occur daily.

That aside, a popular topic, such as the European Cup15 or the Olympic Games16 this year, obviously makes a more attractive target thanks to the potentially higher number of visitors. To execute successful malware and spam campaigns, attackers will prepare their own websites and register special domains for them, or try to hack existing systems to exploit their popularity and structure.

15 http://blog.gdatasoftware.com/blog/article/homepages-of-several-famous-european-football-clubs-hacked.html 16 http://www.gdatasoftware.co.uk/about-g-data/press-centre/news/news-details/article/2836-2012-olympics-sports-fans-tar.html



Categorisation by server location In addition to the analysis of the subject areas involved, it is also interesting to take a look at the geographical distribution of malicious websites. The world map in Figure 6 shows how many hosted, malicious websites there are in different countries.

Things have changed somewhat since the second half of 2011. France is no longer the number one in Europe and has been replaced by Germany. The number of malicious websites in Turkey has fallen significantly since the last analysis. In general, the significance of European countries with regard to the hosting of malicious websites has not changed much; only the numbers of the United Kingdom, Sweden and the Netherlands have increased moderately.

The picture overseas is also familiar. The USA is still the country with the most malicious websites hosted and in Asia the numbers in China and Thailand have risen but those in India have dropped.

Less popular server locations

Popular server locations

Figure 6: Choropleth map showing how many hosted, malicious websites there are in different countries



Online banking The first half of the year 2012 was marked by the legal prosecution of some of the most important people behind banking Trojans. In the underground, the author of the SpyEye Trojan had announced that he would be working intensively on version 2 of his malware and would therefore not be contactable for a while. Shortly afterwards, however, it became known that charges have been filed against him, which is probably the actual reason for his absence. In addition to the creator of SpyEye, the creator of ZeuS was also targeted by investigators.17

Table 4: Share of banking Trojan families detected by BankGuard in Q1 and Q2 2012

While the spread of SpyEye thus declined slightly in the second quarter of 2012, no such tendencies were detected with regard to ZeuS. Quite the opposite: The number of ZeuS infections rose rapidly. This is due to the fact that the author of ZeuS practically no longer plays a role since the source code has been published and that malware authors now create their own versions based on this source code. ZeuS itself has now been replaced with clones of the Trojan.

Clones published in 2011, such as IceIX and LICAT, reached massive numbers but were not very innovative. That was not the case with the clones that appeared in 2012: Gameover was noticed communicating through peer-to-peer networks instead of ordinary structures with individual central servers. Since central servers present a single point of failure in the infrastructure of botnets because they can be shut down by investigating authorities or providers, this innovation greatly increased the stability of the botnet. Citadel also made a name for itself. The programmers offered buyers to enter into support agreements and to submit requests for features, characteristics that are usually found in commercial software or large open source projects.

17 http://krebsonsecurity.com/2012/03/microsoft-takes-down-dozens-of-zeus-spyeye-botnets/

Q1 2012 Sinowal 49.9% SpyEye 18.2% ZeuS 16.2% Bankpatch 12.5% Carberp 1.9% Others 1.3%

Q2 2012 Bankpatch 34.1% Sinowal 30.9% ZeuS 20.4% SpyEye 13.1% Others 1.4%

Figure 7: Share of banking Trojan families detected by BankGuard in H1 2012



But not only the creators of ZeuS and its self-declared successor SpyEye faced legal problems. Some of the people behind the Carberp Trojan were also arrested. At the end of 2011, Carberp still had rapidly growing infection numbers thanks to the integration of a bootkit. After the arrests in March18 and June 201219, the Trojan sank into oblivion again.

The infection numbers of Sinowal were at the usual high levels. In the second quarter, however, Bankpatch managed to climb to the top of banking Trojans for the first time. This was made possible by unusually high levels of activity in the implementation of new mechanisms for deactivating anti-virus products.

Other Trojans, such as Bebloh, Ramnit, Silentbanker and Gozi, remained mostly insignificant.

What was also remarkable in the first half of 2012 was the professionalisation of the attack schemes themselves. For example, a new SpyEye variant was identified, which activates the victim's web cam and uses the video stream for its purposes.20 Most past attack schemes were relatively simple. For example, when a victim logged into online banking, he was prompted to enter a large number of TANs, which were then forwarded to the attacker. Even if the input screen was displayed with the layout of the online banking website, it appears that the banks' warnings have had the effect that increasingly fewer customers fall into this classic social engineering trap. Earlier attack schemes also ended with the transfer of money from the customer to the attacker. No attempts were made to disguise the theft. Attentive customers could thus notice immediately that money was missing from their accounts. Since banks increasingly withhold suspicious transfers for a time, customers were able to stop the actual transfer if they promptly notified their bank. However, newer methods are more sophisticated: In so-called Automatic Transfer System (ATS) schemes21, the entire theft takes place without customer interaction. Account balances and lists of transactions are also manipulated in such a way that the victim does not notice the theft.

G Data BankGuard technology reliably prevents these attacks as well because it prevents the insertion of the underlying code, the man-in-the-browser attack. In the first half of 2012, no banking Trojan was discovered which used a different form of attack and was not detected by G Data BankGuard!

For the second half of the year 2012, it should be noted that certain other persons from underground circles will try to take over the roles of the authors of ZeuS and SpyEye. However, it would not come as a surprise if they kept more to the background to avoid legal prosecution. In addition, we can expect the attack schemes to become even more professional.

18 http://group-ib.com/?view=article&id=664 19 http://group-ib.com/index.php/o-kompanii/176-news/?view=article&id=633 20 http://blog.gdatasoftware.com/blog/article/spyeye-living-up-to-its-name.html 21 https://www.net-security.org/malware_news.php?id=2163



Mobile malware Mobile end devices are becoming increasingly appealing to malware authors and their appeal increases with the continued growth of the smartphone market. While 700,000 Android OS devices were activated each day in December 2011, this figure had risen to 900,000 devices a day by June 2012.22 For malware authors, exploiting this market is no longer just an opportunity to quickly get the users' money with little effort; there is a trend towards malware which promises the authors a sustainable source of income.

There is a great range of malware in the wild. The net is teeming with Trojans, viruses, riskware and backdoors. However, these malware instances cannot always be detected based on their badly designed or incorrectly programmed apps. One of the reasons for this is that the authors of such malware are getting ever more creative and careful when it comes to hiding the malicious functions in an app. Hence, most mobile malware does actually provide the advertised functions. Even attentive users hardly stand a chance against these visually and technically sophisticated methods of hiding content. The best possible protection here is to download only from trustworthy sources and use comprehensive security software to detect invisible dangers.

The malware authors' demands on the malware are on the rise. In the year 2011, most of the malware for mobile devices that was circulated still focused on the quick buck in the form of premium SMSs and premium calls which usually became visible only on the bill at the end of the month. To this end, the malware hid in trustworthy and well-known applications and could mainly be found on websites or on third-party markets. Spying on users and devices was also popular amongst malware authors. Starting with web banners in apps that led to questionable websites on which users were prompted to enter their personal data to use a game for free, to notifications that wanted to convince users to install other apps or recommend them to friends by SMS or email, irrespective of the originally installed app.

2012 also marked the appearance of completely reprogrammed or even new original apps that provided the full scope of functions advertised but also contained the hidden malicious functions. This had the effect that even the official Google Play Store could distribute malware for several days or even weeks before it was discovered. Even skilled users cannot always detect immediately whether a popular and frequently downloaded app is harbouring malware.

The dark outlook for 2012 from the last Malware Report has thus been confirmed. In addition, it is not just the amount of malware that is increasing23, but also the number of malware authors. However, legal steps against malware authors are also being taken in the mobile area, for example, the case against two men in France who allegedly earned up to €100,000 with Android malware.24

22 See Screenshot 2 23 See the chapter "Android malware: when is the deluge coming?", page 6 24 http://www.linformaticien.com/actualites/id/23741/2000-utilisateurs-d-android-escroques-en-seine-saint-denis.aspx

Screenshot 2: Andy Rubin's tweets about activations of Android devices (source: http://twitter.com/ARUBIN)



In the first half of 2012, Trojan FakeDoc, also known as Battery Doctor, used a very successful concept to infect a large number of Android devices. Ostensibly an app designed to optimise the mobile device's battery usage, the Trojan also has extensive and sophisticated malicious functions. User awareness of these functions is very limited.

FakeDoc not only spies on the infected device and the user. It also sends the collected data to a remote sever and displays unwanted advertising notifications even after the original app has been removed. The collected data includes Google account information, the version of the operating system and browser, the GPS position of the device, the phone number as well as the IMEI of the device, which clearly identifies it. What is special about the functions of this Trojan is the so-called push service, which is installed as a separate module and displays small notifications. Here, the service is used to display advertising banners where the attackers earn money for every click, a trick that is already widespread among PC malware. As already mentioned: Even if a user makes the connection between the pop-ups and the Battery Doctor app and removes this app, the notifications persist and thus continue to fill the attackers’ coffers.

Over the last six months, the following malware also appeared in large numbers: The backdoor Android.Backdoor.Plankton.A, or Plankton for short. Phones infected with this backdoor, for example, send the browser history and bookmarks as well as e.g. the IMEI and IMSI to a destination defined by the attacker. This makes it possible to clearly identify a user's device. Android.Trojan.BaseBridge.A, or BaseBridge for short, as well as the still very wide-spread Android.Trojan.Geimini.E, or Geimini for short, whose first variants were already discovered in 2010, were also active in the first half of 2012. This ongoing success is due to the sheer number of infected apps.

Screenshot 3: Trojan FakeDoc disguised in a battery booster app

Screenshot 4: Trojan MMarketpay hiding in the fully functional weather app GO Weather



Banking Trojan Zeus-in-the-Mobile (ZitMo), which forwards mTANs received by SMS to a server, is also still on the loose. Particularly popular apps continue to be the targets of malware authors in 2012. It is not always the app's fault that attackers get a chance to access user data and information.

In the case of popular messenger service WhatsApp, which has now established itself as a replacement for SMS on smartphones, an attacker could intercept all sent data, images, messages and GPS information without having manipulated the actual app.25 This was due to incorrect programming of the WhatsApp application: via Wi-Fi, all data was sent in unencrypted form and could thus be intercepted (exception: Blackberry). A sniffer published by a software developer thus makes it easy to exploit this situation, even for inexperienced attackers.

Apps that explore these types of security flaws and Trojanised apps, be they newly developed or manipulated copies of successful, harmless applications, will continue to appear because the ratio of the amount of work required to the profit is still very attractive. This is countered by prompt detection by security solutions, coupled with a growing awareness amongst smartphone and tablet users that they need to protect their mobile devices as well as their PCs.

Despite the introduction of Google Bouncer, which scans Android developer accounts as well as already published and newly entered apps on the official Google Play market, at the start of 2012, Google Play still contained malware in the first half of 2012. Google Bouncer is a protection mechanism designed to prevent the publication of dangerous apps by Google. In June 2012, however, two researchers in the USA showed that the Bouncer can be outsmarted26 and officially criticised the effectiveness of this protection mechanism.

The fact that malware still reaches the Google Play Store is still due to Google's failure to provide clear guidelines. Even apps previously declared to be malware and removed from Google Play are re-admitted after minor modifications. A trick used by malware authors is to ask for authorisation for the initially used paid services of the app before the installation. However, this first hurdle, which only catches the attention of a few vigilant customers, is very low. Most users skip this step, mostly because they have a false sense of security because they are navigating Google's official market. Most users are not aware that paid services and payment systems are quite common here. Especially since they do not expect costs related to very simple apps.

Furthermore, such sophisticated apps often come with a rather questionable EULA to which users automatically agree by using the app. Other modifications are, for example, the required encryption of transferred data. The supposed security offered by Google Play as the official market is one of the

25 http://blog.gdatasoftware.com/blog/article/using-whatsapp-in-wifi-makes-conversations-public.html 26 https://blog.duosecurity.com/2012/06/dissecting-androids-bouncer/

Screenshot 5: It is easy to read a conversation, incl. pictures sent, using the WhatsApp Sniffer.



reasons why G Data has introduced the riskware category for detections. This category is designed to raise awareness of the fact that some apps are not malware in the strict sense of the word and even meet Google's guidelines but can have potentially unwanted functions nonetheless.

An example of riskware is Android.Riskware.SndApps.B, or SndApps for short.27 If a user starts the app, he or she merely sees a screen that plays a sound when touched. The "Whoopee Cushion" app, for example, produces a flatulence sound. The predecessor, Android.Trojan.SndApps.A, was removed from the Google Market in July 2011, shortly after it had been published. The second version of the app by publisher Typ3-Studios has been supplemented with a detailed EULA and has been available in the official Google Play Store since August 2011. In addition, the data that is sent by the app is encrypted as required by the Google guidelines.

What is risky for users is that the app's EULA can only be detected by taking a detour. If the user presses the Menu button on his or her device, the app displays a field for displaying the EULA. However, if the smartphone does not have a Menu button or this button is not displayed, the user is not going to see the EULA.

In the second half of 2012, there will be an increase of cases where APK files (installation files for Android) are automatically downloaded onto Android OS devices. In these cases, a user navigates to a website using the mobile device's browser, either autonomously or prompted by an app. There, the user initiates an unintentional, automatic download of an app to the device. Another option is to offer users an app within an app, which directly starts a download when the icon is clicked instead of diverting the user to Google Play for the download. For malware authors, this is an easy and reliable way to spread malware because the user does not have to make the decision to download an app. The malware is thus guaranteed to reach the device and the only obstacle it has to overcome is that the user has to manually start or confirm the installation.

Users of Android OS smartphones should therefore continue to download their apps only from trustworthy sources and should always take a look at the description of the app, the authorisations 27 http://blog.gdatasoftware.com/blog/article/malware-or-not-malware-thats-the-question.html

Screenshot 6: Apps of Typ3-Studio, which re-entered the Google Market after minor modifications.



and the available reviews before deciding to install an app. If the malware then tried to download, for example, an app from a server in China, this would not be possible with the generally recommended security settings28.

The strong, continued growth of newly registered Android devices and the increasing willingness to use new media and functions will ensure that the number of mobile malware instances will continue to grow. However, the trend will be towards ever more sophisticated malware being developed by the bad guys. The options are far from exhausted here so that malware authors are going to continue to raise the bar.

The NFC payment area (e.g. Google Wallet) is still more of a future scenario for the European market. The devices that can naturally use NFC are not available across the board yet and possible attack scenarios will be created mostly for research purposes before appearing "in the wild" once the system has gained wide-spread acceptance. Market research company Gartner predicts that the number of mobile payment users will reach 212.2 million in 2012, an increase of 51.7 million, whereby they think that the number of NFC transactions will remain relatively low although growth will start to pick up from 2015/2016.29

Threat scenarios of this type will continue to cause a stir in the future. The need for protection against possible risks will increase accordingly. However, one must not forget that protection mechanisms can only be effective if they are observed and used. Attackers will therefore continue to be successful in the second half of 2012 as long as there are careless users that make it easy for them.

28 See Screenshot 7 29 http://www.gartner.com/it/page.jsp?id=2028315

Screenshot 7: Security settings on an Android device, users should avoid unknown sources

g data malware report half-yearly report january – june 2012...for years, the malware market has...

Documents