The TrendLabs 2012 Annual Security Roundup showed that the past year ushered in the post-PC era as cybercriminals embraced mobile malware use. Mobile malware remained a big problem for users this quarter though the main concern went beyond their sheer number. The discovery of OBAD malware and the “master key” vulnerability highlighted cybercriminals’ ability to find ways to exploit flaws in the Android™ ecosystem. We noted that these incidents were designed to bypass security measures and serve as other means for cybercriminals to gain control over devices.
More online banking threats were seen in different countries this quarter, specifically in Brazil, South Korea, and Japan. These highlighted the need for increased awareness of online banking security. Cybercriminals also came up with more diverse attacks that used various social engineering lures, single sign-on (SSO) and multiprotocol services, and blogging platforms for their malicious schemes. Vulnerability disclosure also became a hot topic this quarter in response to the flurry of zero-day incidents at the beginning of the year.
Enterprises continued to battle targeted attacks. The Naikon campaign was primarily seen in Asia/Pacific while our research on the Safe campaign revealed victim IP addresses spread throughout 100 countries worldwide. These stress the importance of strengthening enterprise defense against targeted attacks while coming up with proactive solutions to protect corporate networks.
Trend Micro Incorporated, a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years of experience, we deliver top-ranked client, server, and cloud-based security that fits our customers’ and partners’ needs; stops new threats faster; and protects data in physical, virtualized, and cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology, products and services stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com.
The master key vulnerability can be exploited to replace legitimate apps with malicious versions while OBAD steals data and spies on mobile activities using improved stealth routines.
The lag in the Android™ update process doesn’t help either. It causes a fragmentation issue that leaves devices unpatched and unprotected.
Multicomponent and web-based threats now plague the mobile threat landscape. They victimize users with fake banking apps and FAKEAV distributed through social engineering schemes.
Mobile and web users need to scrutinize their computing habits, no matter what device they use. When dealing with mobile threats, look into vulnerability patching and extending mobile protection to include more than just app scanning.
Almost all Android devices were put at risk by the discovery of the master key vulnerability, which can be exploited to replace legitimate apps with malicious copies even without the original developer’s signing key.
The OBAD malware, meanwhile, exploits a critical Android device administration flaw to avoid detection and removal. It incessantly asks for administrator privileges before running on stealth mode and spreading via Bluetooth®.
The existing Android update process delays the deployment of software updates and patches. It doesn’t help that these still need to go through manufacturers and service providers before reaching users.
Mobile threats combined different malicious routines to infect more devices. PC threats also crossed over to the mobile front in the form of ads and Android application package files (APKs) that lead to compromised web pages or perform malignant tasks.
This quarter’s notable multicomponent mobile threats steal information and breach user privacy:
There’s a thriving underground market for stolen mobile information. One million mobile numbers sell for US$70 while 1,000 numbers with personally identifiable information (PII) sell for US$35.
The number of malicious and high-risk Android apps hit 718,000 in the second quarter from 509,000 in the first quarter of this year. In just six months, the number of Android malware surged by another 350,000. It originally took three years for Android malware to reach this mass.
Most malicious apps still arrived as Trojanized versions of legitimate ones. And while the ranking of mobile threat types remained consistent with the past quarter, an increase in the data stealer volume was seen. This showed the continued evolution and sophistication of Android threats.
The online banking threat count rose from 113,000 in the first quarter of this year to 146,000 this quarter. The United States topped the list of countries with the most number of online banking victims and over 40,000 infections (28%). It was followed by Brazil with 22%, Australia with 5%, France with 5%, and Japan with 4%.
Countries with fast Internet access and large online banking communities battled new and more sophisticated threats designed for their regions.
Users from Internet connectivity leader, South Korea, were redirected to fake sites. Brazil’s active online banking users fell victim to “homemade browsers” and data-stealing malware hosted on compromised government sites. In Japan, online Trojans also went after banks.
Toolkits used for malicious activities are now being hawked in the cybercriminal underground at cheap prices, given away for free, or come bundled with other services or products.
In Brazil, SpyEye came free with a purchase of other known malware kits. The source code for CARBERP, the botnet creation kit, was also released online.
Traditional threats have come back; this time, with improved evasion and deployment techniques.
One of the top 10 malicious domains users visited this quarter was connected to the Blackhole Exploit Kit. We saw related spam use non-English-character domains and download FAREIT, which is known for stealing File Transfer Protocol (FTP) credentials.
Botnets like PUSHDO managed to stay afloat and resist command-and-control (C&C) server takedowns with the use of malware that employ Domain Generation Algorithm (DGA). This algorithm allows malware to generate and access more than 1,000 domains on a daily basis.
Cybercriminals sought and compromised hosts. Popular code repository, SourceForge, for instance, was used to host malicious GAMARUE files.
The continued discovery of targeted attack campaigns inside computer networks should invoke organizations to remain vigilant. According to an ISACA survey, 53.4% still consider advanced persistent threats (APTs) conventional threats.
Campaigns like Safe, which TrendLabsSM documented this quarter, used small C&C clusters and new malware to attack government ministries, technology companies, media outlets, academic research institutions, and nongovernment organizations. Nearly 12,000 unique IP addresses, spread over more than 100 countries, were connected to Safe via two sets of C&C infrastructure.
During discussions on vulnerability disclosure policies, Google engineers suggested that vendors release information on zero-day exploits in seven days.
Trend Micro CTO, Raimund Genes, deemed this unreasonable. He instead called for discourse among developers, governments, and researchers to work out solutions for security vulnerabilities in the future.
Social engineering threats diversified, trickling into multiple account access services like instant-message (IM) aggregator, Digsby, and multiservice access ID, Apple ID. They also spilled onto platforms like Tumblr, WordPress, and Blogger to host fake streaming pages, and used technologies like URL shorteners.
Threats also took advantage of professionals and individuals looking to gain popularity on social networks. An Instagram scam, for instance, offered to increase their follower count.
The Boston marathon topped this quarter’s list of social engineering lures. Others include the Massachusetts Institute of Technology (MIT) shooting, the Texas fertilizer plant explosion, Iron Man 3, and the tax season.
Collaboration with Internet security experts is important in developing well-rounded decrees and stronger infrastructure against cybercrime. This is especially true since lax cybersecurity laws and insufficient technical knowledge impede various countries from beating cybercriminals.
A major highlight this quarter was the partnership between Trend Micro and INTERPOL for threat mitigation and cybersecurity training.