TrendLabs 2Q 2013 Security Roundup

The TrendLabs 2012 Annual Security Roundup showed that the past year ushered in the post-PC era as cybercriminals embraced mobile malware use. Mobile malware remained a big problem for users this quarter though the main concern went beyond their sheer number. The discovery of OBAD malware and the “master key” vulnerability highlighted cybercriminals’ ability to find ways to exploit flaws in the Android™ ecosystem. We noted that these incidents were designed to bypass security measures and serve as other means for cybercriminals to gain control over devices.

More online banking threats were seen in different countries this quarter, specifically in Brazil, South Korea, and Japan. These highlighted the need for increased awareness of online banking security. Cybercriminals also came up with more diverse attacks that used various social engineering lures, single sign-on (SSO) and multiprotocol services, and blogging platforms for their malicious schemes. Vulnerability disclosure also became a hot topic this quarter in response to the flurry of zero-day incidents at the beginning of the year.

Enterprises continued to battle targeted attacks. The Naikon campaign was primarily seen in Asia/Pacific while our research on the Safe campaign revealed victim IP addresses spread throughout 100 countries worldwide. These stress the importance of strengthening enterprise defense against targeted attacks while coming up with proactive solutions to protect corporate networks.


Trend Micro Incorporated, a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years of experience, we deliver top-ranked client, server, and cloud-based security that fits our customers’ and partners’ needs; stops new threats faster; and protects data in physical, virtualized, and cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology, products and services stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit

Copyright © 2013 Trend Micro Incorporated.
All rights reserved.


Mobile Threats Go Full Throttle:
Device Flaws Lead to Risky Trail
TrendLabs 2Q 2013 Security Roundup

Mobile threats took the fast lane this quarter and bypassed security. Mobile vulnerabilities raised risks with the emergence of the master key vulnerability and the OBAD malware.

The master key vulnerability can be exploited to replace legitimate apps with malicious versions while OBAD steals data and spies on mobile activities using improved stealth routines.

The lag in the Android™ update process doesn’t help either. It causes a fragmentation issue that leaves devices unpatched and unprotected.

Multicomponent and web-based threats now plague the mobile threat landscape. They victimize users with fake banking apps and FAKEAV distributed through social engineering schemes.

Mobile and web users need to scrutinize their computing habits, no matter what device they use. When dealing with mobile threats, look into vulnerability patching and extending mobile protection to include more than just app scanning.


Nearly all Android devices were exposed due to critical vulnerabilities; many users won’t be able to get fixes

Almost all Android devices were put at risk by the discovery of the master key vulnerability, which can be exploited to replace legitimate apps with malicious copies even without the original developer’s signing key.

The OBAD malware, meanwhile, exploits a critical Android device administration flaw to avoid detection and removal. It incessantly asks for administrator privileges before running on stealth mode and spreading via Bluetooth®.

The existing Android update process delays the deployment of software updates and patches. It doesn’t help that these still need to go through manufacturers and service providers before reaching users.

FAKEAV, banking, and more threats jump from PC to mobile

Mobile threats combined different malicious routines to infect more devices. PC threats also crossed over to the mobile front in the form of ads and Android application package files (APKs) that lead to compromised web pages or perform malignant tasks.

This quarter’s notable multicomponent mobile threats steal information and breach user privacy:

  • FAKEBANK uses phony smart banking apps to steal banking credentials.
  • Mobile FAKEAV, like PC FAKEAV, spoof scan results and ask users to purchase a supposed premium version of a security app.

There’s a thriving underground market for stolen mobile information. One million mobile numbers sell for US$70 while 1,000 numbers with personally identifiable information (PII) sell for US$35.

Android malware now 718K; volume continues surge with no end in sight

The number of malicious and high-risk Android apps hit 718,000 in the second quarter from 509,000 in the first quarter of this year. In just six months, the number of Android malware surged by another 350,000. It originally took three years for Android malware to reach this mass.

Most malicious apps still arrived as Trojanized versions of legitimate ones. And while the ranking of mobile threat types remained consistent with the past quarter, an increase in the data stealer volume was seen. This showed the continued evolution and sophistication of Android threats.

Online banking threat volume rises by 29%; the United States, Brazil, Australia, and France become top 4 targets

The online banking threat count rose from 113,000 in the first quarter of this year to 146,000 this quarter. The United States topped the list of countries with the most number of online banking victims and over 40,000 infections (28%). It was followed by Brazil with 22%, Australia with 5%, France with 5%, and Japan with 4%.

Countries with fast Internet access and large online banking communities battled new and more sophisticated threats designed for their regions.

Users from Internet connectivity leader, South Korea, were redirected to fake sites. Brazil’s active online banking users fell victim to “homemade browsers” and data-stealing malware hosted on compromised government sites. In Japan, online Trojans also went after banks.

Two-for-one offer: Buy malware and get malware kits for free

Toolkits used for malicious activities are now being hawked in the cybercriminal underground at cheap prices, given away for free, or come bundled with other services or products.

In Brazil, SpyEye came free with a purchase of other known malware kits. The source code for CARBERP, the botnet creation kit, was also released online.

Blackhole Exploit Kit linked to top bad URL as traditional threats form new habits

Traditional threats have come back; this time, with improved evasion and deployment techniques.

One of the top 10 malicious domains users visited this quarter was connected to the Blackhole Exploit Kit. We saw related spam use non-English-character domains and download FAREIT, which is known for stealing File Transfer Protocol (FTP) credentials.

Botnets like PUSHDO managed to stay afloat and resist command-and-control (C&C) server takedowns with the use of malware that employ Domain Generation Algorithm (DGA). This algorithm allows malware to generate and access more than 1,000 domains on a daily basis.

Cybercriminals sought and compromised hosts. Popular code repository, SourceForge, for instance, was used to host malicious GAMARUE files.

Campaigns target enterprises; most still vulnerable

The continued discovery of targeted attack campaigns inside computer networks should invoke organizations to remain vigilant. According to an ISACA survey, 53.4% still consider advanced persistent threats (APTs) conventional threats.

Campaigns like Safe, which TrendLabsSM documented this quarter, used small C&C clusters and new malware to attack government ministries, technology companies, media outlets, academic research institutions, and nongovernment organizations. Nearly 12,000 unique IP addresses, spread over more than 100 countries, were connected to Safe via two sets of C&C infrastructure.

Cybercriminals target server-side vulnerabilities

This quarter, a zero-day exploit for Internet Explorer® 8 and attacks targeting server-side applications—Plesk, Ruby on Rails, and ColdFusion®—were reported.

During discussions on vulnerability disclosure policies, Google engineers suggested that vendors release information on zero-day exploits in seven days.

Trend Micro CTO, Raimund Genes, deemed this unreasonable. He instead called for discourse among developers, governments, and researchers to work out solutions for security vulnerabilities in the future.

Social threats zero in on account managers and money-making targets

Social engineering threats diversified, trickling into multiple account access services like instant-message (IM) aggregator, Digsby, and multiservice access ID, Apple ID. They also spilled onto platforms like Tumblr, WordPress, and Blogger to host fake streaming pages, and used technologies like URL shorteners.

Threats also took advantage of professionals and individuals looking to gain popularity on social networks. An Instagram scam, for instance, offered to increase their follower count.

The Boston marathon topped this quarter’s list of social engineering lures. Others include the Massachusetts Institute of Technology (MIT) shooting, the Texas fertilizer plant explosion, Iron Man 3, and the tax season.

Public-private collaboration is key to effective security

Collaboration with Internet security experts is important in developing well-rounded decrees and stronger infrastructure against cybercrime. This is especially true since lax cybersecurity laws and insufficient technical knowledge impede various countries from beating cybercriminals.

A major highlight this quarter was the partnership between Trend Micro and INTERPOL for threat mitigation and cybersecurity training.