AVG’s Q2 2012: Cybercriminals use social engineering to extend lifecycle of malware by ensnaring tech-savvy users with plausible scenarios
July 2012 by AVG
AVG Technologies, the provider of Internet and mobile security to approximately 114 million active users, today released its Q2 2012 Community Powered Threat Report. This quarter’s report investigates how cybercriminals have combined social engineering with more complex malware authoring for PC and mobile to increase impact, and that many of these are emerging from China.
Android smartphone users remain a lucrative target as the platform currently has 59 percent global market share and is on track to stay the most shipped mobile operating system until 2016. Much of this new malware has also been identified as originating from China and targeting users there and in neighboring markets, reflecting the fact that this is now the world’s top smartphone market with over one million mobile web users.
The China connection
This quarter saw the introduction of the first Android bootkit, ‘DKFbootkit’, which masquerades as a fake version of a legitimate application and damages the smartphone’s Linux kernel code by replacing it with malicious code. Users are tricked into clicking ‘OK’ to the notifications the malware provides, giving it permission to add itself to the boot sequence and spring into life once the device is activated. In rooting the device, this attack turns the smartphone into a zombie that is fully under the cybercriminal’s control, which makes it a serious threat to Android users. This attack is spread over the third party applications market – and not the official Google Play - in China.
Malware authors also spammed China, Japan, South Korea, Taiwan and the United States with Trojan-infected email messages related to political issues around Tibet. These were released on the back of a Microsoft ‘Patch Tuesday’ security bulletin with the authors rushing to take advantage of the ‘window of opportunity’ time lag between the patch release and when users were able to implement it. The email attachment contains an embedded encrypted executable file which collects sensitive user information such as passwords, and is able to download additional malware for key logger facility or to get a new Trojan configuration.
Yuval Ben-Itzhak, Chief Technology Officer at AVG, said: “In our experience, an operating system attracts attention from cybercriminals once it secures five percent market share; once it reaches ten percent, it will be actively attacked. It’s no surprise therefore that our investigations uncovered a further upsurge in malware targeting Android smartphones given its sustained popularity, with new attacks focused on rooting the devices to give cybercriminals full control. What’s new this quarter is the significant upsurge in these threats originating from China.”
The end of antivirus?
For all of the sensationalism around the discovery of Stuxnet in 2010 and its 2012 equivalent, Flame, the average consumer was never actually a target for either malware. While rumors of cyber-attacks were circulated about both, Flame was actually not a patch on the sophistication of Stuxnet in terms of malware authoring and in particular, the techniques used in the payload were not very impressive. The security industry is already adapted to the unexpected nature of threats with traditional signature detection being just one layer within a multi-faceted security solution.
The latest version of the LizaMoon mass injection SQL attack this quarter deceives users into downloading a Trojan or some rogue software by exploiting human interest and hiding inside non-existent celebrity sex videos or fake antivirus websites. Injecting malicious code into legitimate but vulnerable websites, this attack targeted Mozilla’s Firefox® browser and Microsoft’s Internet Explorer® with two attack vectors. In Firefox, users are lured by raunchy videos of socialite Paris Hilton and actress Emma Watson and asked to update their Flash installation in order to view them. Users never get to see the video as the malware installed a Trojan disguised as a Flash update.
In Internet Explorer, users receive a prompt seemingly from an antivirus website which would claim to have found malware on their computer. They are encouraged to download the malware and, once installed, to ‘purchase it’ which would then simply remove the malware in return for payment. Should the victim decide not to purchase, nag screens would pop up until the rogue was cleaned from the machine. In the most recent version, the malware was updated to enable ‘drive-by downloads’ where victims need only visit the website to become infected and it is no longer enough to close the web page to be safe.
Rovio’s ‘Angry Birds Space’ application was also frontline for consumer scams this quarter. Using the same graphics as the legitimate version, a fully functional Trojan-infected version was uploaded to unofficial Android application stores. It uses the GingerBreak exploit to root the device, gaining Command and Control functionality to communicate with the remote server to download and install additional malware, botnet functionality, and to enable the modification of files and launch of URLs.
To download the full Q2 2012 Community Powered Threat Report, please visit: http://mediacenter.avg.com/en/press...
About the report
The AVG Community Protection Network is an online neighborhood watch, where community members work to protect each other. Information about the latest threats is collected from customers who participate in the product improvement program and shared with the community to make sure everyone receives the best possible protection.
The AVG Community Powered Threat Report is based on the Community Protection Network traffic and data collected from participating AVG users over a three-month period, followed by analysis by AVG. It provides an overview of web, mobile devices, spam risks and threats. All statistics referenced are obtained from the AVG Community Protection Network.
AVG has focused on building communities that help millions of online participants support each other on computer security issues and actively contribute to AVG’s research efforts.