Most of the variants of this malware have the same functionality, with only slight differences in their implementation code. They simply show the fraudulent web pages on the in-application web component or the device’s browser.

McAfee has also found a variant of this family of malware with more dangerous features. This variant retrieves the device user’s Google account name–the email address–as well as the phone number, and sends the information to the attacker’s remote server.

The application description page on Google Play.

This application, tv.maniax.p_urapane1, is a 16-piece slider-puzzle game consisting of pornographic images. It also plays movie files when the user completes the game.

Unlike previous variants from this family of fraudulent malware, this application requires several permissions at installation that are usually unnecessary for this type of game:

• android.permission.READ_PHONE_STATE
• android.permission.GET_ACCOUNTS

The malware’s list of required permissions.

Behind the scenes, the malware retrieves the user’s data using these permissions and sends it to a remote server by opening the URL http://man****app.com/m/users/aftpur/GOOGLE_ACCOUNT_NAME/PHONE_NUMBER. It stores the data in a MySQL database server using the Java Database Connectivity API in a database-driver library in the application.

Malware application screens.

Google account name and phone number data sent to the attacker’s server.

This application also displays some “advertisement” links at the bottom of the screen. The application’s description page on Google Play says that the developer does not guarantee the safety of these linked advertisements, implying that they are not aware of the contents of the ads. In fact, however, the application simply displays the image files bundled in the application package and invokes the browser with the hard-coded URL http://pr**.*obi/?neosp_nontop_eropne01, which is the fraudulent web page often used in other variants of this one-click-fraud family of malware.

Fraudulent web pages.

The stolen Google account name and phone number are not directly used in the fraudulent page opened from this application. However, we expect the attacker will try to use this information for future malicious activities.

Fortunately, this application was deleted from Google Play within a day after it was added, and so the number of victims should be small. But the appearance of this variant indicates that the attackers are determined to collect personal information from their victims and that they are capable of developing variants with more advanced features than previous ones.

McAfee Mobile Security detects this application as Android/OneClickFraud, and will continue to monitor for more fraudulent activities from this family in Japan.

Our investigation into the apps have shown that new variants of one-click fraud have been altered so that the fraud is not immediately identifiable unless the victim interacts with the apps–in effect making the apps “two-click fraud” or even “three-click fraud”–and making the automated screening and scanning process difficult.

In fact, these applications simply invoke the web browser on the device or the web-view component inside the application to load the web contents. This extra step by the fraudulent activities makes the automated detection of this type of malware more difficult.

One-click fraud is a threat vector that is unique to Japan and has been around for more than a decade on PCs, but recent aggressive tactics during the past year show that the criminals behind this scam are committed to exploiting mobile devices.

By using two or more clicks to commit fraud, an attacker can more easily trick users into believing that they are actually registered in the fraudulent service. Victims are more likely to pay money or give detailed personal information to the attacker.

In the current fraud, the attacker used multiple developer accounts on Google Play, as well as almost the same description of the applications across these separate accounts. This indicates that this type of fraudulent application variant is easily created and distributed. Actually, the attacker created new developer accounts soon after old accounts were banned due to malware reporting and published almost the same applications with minor changes under these new accounts.

What is worse, the essential part of this fraud occurs on the websites rather than inside the Android application, so there are still risks that the number of victims will increase via web browsing even if these applications are removed from Google Play.

McAfee detects this malware family as Android/OneClickFraud. We also detect and block the web accesses to the URLs used in this series of online fraud to protect users when they encounter the malicious fraud sites using their browsers. Make sure to keep your McAfee security products updated and stay tuned to McAfee Labs blogs for additional information as we continue our investigation.

Whenever I bring this up in a group setting, it astonishes me how many people raise their hands. I wonder if they realize that they are putting all the personal information contained on their mobile device at risk. The unfortunate reality is that everyone loses things, and our devices can get stolen. And when that happens to your smartphone or tablet, it can be devastating.

Many of us use upwards of ten apps on our devices during a typical week. The majority of these apps are logged into our most critical accounts including email, text, banking, social media, payment apps and others that are linked to our credit cards. And because mobile app developers know that we are more apt to use their programs if they are easy to access and convenient to use, a lot of apps are programmed to automatically keep you logged in for days, weeks, months, or until you manually revoke access.

If your devices are not password protected and are then lost or stolen, your accounts are 100% accessible to whoever has control of your device. This is bad—and yet, 36% of us still do not use password protection!

According to a recent global survey by McAfee and One Poll, consumers seem largely unconcerned about keeping data on their mobile devices safe. For example, only one in five respondents have backed up the data on their smartphone and tablet, and more than one in ten (15%) save password information on their phone. This means that if their phone falls into the wrong hands, they risk opening up all sorts of personal information such as bank details and online logins to whoever finds the device.

Setting up a password or PIN is no guarantee that data will stay safe, and over half (55%) of all respondents admitted that they have shared these details with others, including their kids.

What’s particularly interesting is that men and women also behave differently with their mobile devices, not only in terms of how much risk they are willing to take, but also in terms of what they value.

Here are a few steps to make sure you and your mobile devices stay protected:

• Password protect all your devices (and don’t use easy ones like 1234 or 1111)
• Never use the “remember me” function on your apps or mobile web browser, and take care to log out of your accounts
• Consider not sharing your PIN/password—this might be a tough one, but in the long run it will save you from possible heartacheUse a mobile security product like McAfee Mobile Security (and also McAfee All Access), that has not only anti-malware, but web protection and app protection. With app protection, not only are you warned if your apps are accessing information on your mobile that they shouldn’t, but in the event that someone does unlock your device, you can ensure your personal information remains personal by locking some or all of your apps
• Stay educated on the latest ways to protect your mobile device. For a fun quiz to help you learn about mobile security, visit the McAfee Facebook page. Play the Mobile Mythbusters quiz and get a chance to win a Galaxy Tablet or Kindle Fire!

And if you’re at Mobile World Congress, stop by and see McAfee in Hall 3, Stand C34. If you show our team in the red shirts that you’ve liked them on Facebook or followed them on Twitter, you’ll get a prize!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!. Disclosures.

Big Changes at MWC

This year’s MWC is set to run from the Monday, February 25^th to Thursday the 28^th, and it will be the first time we have all descended on the new location of the Fira Gran Via, which will mean a new experience for even the most grizzled MWC attendees.  Possibly the most dramatic change to this year’s show will be the absence of the Google Android stand, which has become well known for its smoothies, ice cream, and crazy slide.

What We’re Waiting For

As always, we’re excited to hear the customary announcements from the big networks, device manufacturers, and accessory businesses, but we’re particularly looking forward to the growing number of cloud service providers that are increasingly attending the show.  For example, this year we have keynotes scheduled from the CEOs at Deezer, Dropbox, Foursquare, and Mozilla.  These names could make for some very interesting talks on the future of mobile devices, driving increased innovations and efficiencies for businesses and consumers alike.

Enjoying the MWC Nightlife

As usual, most of the professional networking that goes on during MWC won’t happen at the show, but rather in the evening in the many bars and clubs of Barcelona.  Here are some of the events we think look too good to miss:

• Monday 25^th Feb: MEF Connects 2013 – Now in its 11^th year, this is a chance to do some serious networking with other MEF members. If you’re not a member, don’t fret, there’s always the MWC Networking Event, dubbed by organizers as “THE” networking event of MWC.
• Tuesday 26^th Feb: Mobile Marketing Mixer – This event is open to all, but you’ll need an invite to get in.  The best chance to get your golden ticket is to follow @MMMagTweets, where organizers will give away tickets right up to the show.
• Wednesday 27^th Feb: Swedish Beers, Heroes of the Mobile Fringe Edition – Promised to be full to the brim and buzzing with chatter; organised by Helen Keegan (and “crew”).  There’s no need to RSVP, as there’s no strict guest list, but our tip is to get there early, as it’s always popular and space in the venue (as well as the free drinks) always go faster than you think.
• Thursday 28th Feb: MLove MWC 2013 After Party – If you’re not planning to leave on Thursday and are still in a condition to party, this event is a must!  It’s a chance to meet, mingle, and celebrate the end of another great show. Tickets are expected to sell out, but they’re currently available through Eventbrite with the promotional code “MLOVE-friends.”

What McAfee is Doing:

We’ll be sharing a booth with our parent company Intel in Hall 3, Stand C34. Stop by to check out McAfee consumer and enterprise mobile demos and chat with members of our team (we’re easy to spot – just look for the red shirts). Even better, if you stop by the booth and show that you’ve Liked us on Facebook or followed us on Twitter, we’re giving away special prizes for our social media fans.

In addition, we’ll also be revealing the results of our global mobile security research report during the show, and for our enterprise audience, we’ll discussing McAfee Enterprise Mobility Management.

Last but Not Least: #MobileMyths Giveaway for Fans at Home and in Barcelona

Whether or not you’re at the show this year, don’t forget to play our Mobile Mythbusters quiz on Facebook. Not only can you help debunk some of the most common mobile security myths, but you can also enter to win a Galaxy Tablet or Kindle Fire HD, complete with McAfee Mobile Security! Once you’ve taken the quiz, be sure to share your results with the hashtag #MobileMyths, and you can get another entry for the prize.

Stay tuned for more updates on Facebook, here in the blog, and on Twitter with @McAfeeConsumer, and for those of you in Barcelona, I hope you take some time to enjoy all that the city (and MWC) has to offer!

Image Source: http://www.businessinsider.com/google-booth-mwc-2011-2?op=1

With the growth in mobile exploding, it is only natural for cybercriminals to move towards that device as a means for profit since it has such large numbers. And for us as consumers this means learning about these new ways hackers can trick or deceive us.

Part of the education process is understanding where and how all this malicious activity happens. Unlike PCs where infections typically happen through email (attachments or links) or from visiting an infected website, for mobile devices, malicious software (malware) is distributed primarily through infected apps.

In their Mobile Security: McAfee Consumer Trends Report, McAfee analyzed data from McAfee Mobile Security users on Android devices and found:

• 16% (or 1 in 6) of apps are infected with malware or contain links to risky URLs
• 40% of malware do more than one malicious activity (for instance it may not only send your mobile # and device ID to the hacker, but it may also open a “door” so the hacker can get future information from other apps)
• The #1 malicious activity the malicious apps did was send handset and personal information to the hacker
• Spyware represents about 1/3 of all malware families in our zoo and 23% of mobile spyware joins a botnet or opens a backdoor, increasing the risk of data loss or device abuse

What does this mean for you?

It means you better be careful with your mobile device and especially what apps you download and use. I don’t know about you, but my smartphone has become an extension of me and without it I’d be lost. And if all the data that was on my phone got into the wrong hands, I shudder to think of what could happen.

That’s why it’s critical that you are careful when using apps. Here’s some tips to stay safe:

• Watch where you download: Only download apps from reputable app stores
• Investigate the app: Researching it by reading reviews and checking its ratings
• Check the permissions: Make sure the app is only accessing data it really needs to function- studies have shown that 1/3 of apps ask for more permission than they need¹
• Don’t store your logins: Do not choose the “remember me” option for apps and mobile browser for your login information, even though this is not as easy. This way, if a stranger accesses your device they cannot log into your accounts as you.
• Use security software: Software such as McAfee^® Mobile Security can also help protect your phone against malware, bad apps and other mobile threats. It also allows you to remotely locate, track and lock your device in the case of loss or theft.

Even though 51% of us would rather lose our wallet than our smartphone,² only 4% use mobile security software.³  It’s time….save yourself the hassle later and make security a priority for your mobile device and yourself.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

¹ http://www.cs.berkeley.edu/~afelt/android_permissions.pdf
²  Cisco 2011 Connected World Technology Report
³ http://juniperresearch.com/viewpressrelease.php?pr=255

Today, most of us can’t live without our mobile devices. We live in an always on, always connected world. While this is convenient in many ways, it also brings about new security risks that many people don’t think about.

For example, most of us know that we need to use security software on our PCs. But how many of us know to use security on our mobile devices? Mobile devices are our most personal computers, yet they open the door to many vulnerabilities that don’t exist on a traditional PC.

Here’s some fact vs. fiction around mobile devices:

Mobile Myth #1: The best way to locate my lost phone is by calling it.


• False. While “Call Me Maybe” may be your theme song, and this is sometimes a viable option, it’s much easier to use security software that lets you locate your phone by GPS or make it “scream” so you can find it (this is much louder than your ring tone). You can also display a message on your lost phone if anyone does find it, so you can tell them how to get in touch with you.

Mobile Myth #2: It’s ok to have my apps automatically log in to my accounts if I have my phone protected with a PIN.

• False. Even though a PIN is a good start, this is not complete protection. Hackers are often able to guess PIN codes and also have programs to help them quickly figure out your 4 digit combination. Make sure you use a PIN that is not 1111 or 1234 and that you do not set your apps or mobile browser to use the “remember me” function. If your phone falls into the wrong hands, that gives the person easy access to your accounts.

Mobile Myth #3: Phishing is just for PC users.

• False. In fact, one study showed that mobile users are 3x more vulnerable to phishing scams than PC users. Hackers can use phishing attempts via email (if you access your email via your phone or tablet) but also via text and social media apps. Also, it is much harder to tell if links are “real” in a mobile browser or email, so you should use mobile security software that warns you if you are going to a malicious site.

These are just a few mobile myths that exist out there. To really test your mobile knowledge, play our Mobile Mythbusters quiz on Facebook, where you can also enter to win great prizes like a Galaxy tablet, Kindle Fire, or a copy of my e-book “99 Things You Wish You Knew Before Your Mobile Device Was Hacked,” all with a 1-year subscription to McAfee Mobile Security.

In addition, share you’re your mobile myths with @McAfeeConsumer using the hashtag #MobileMyths to help debunk mobile security myths and protect yourself and others. Top tweeters will win a copy of McAfee All Access or McAfee Mobile Security.

And if you’re going to be at Mobile World Congress, stop by to visit McAfee and see our product demos. We’re in the Intel booth in Hall 3, Stand C34. You may even get a small gift if you show that you’ve liked McAfee on Facebook or followed us on Twitter when you come see the people in the red shirts!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Some of the most commonly used apps on the Android platform such as Facebook, LinkedIn and Gmail don’t require a log in each time they’re launched, which is convenient, but from a security standpoint, not smart.

In my world I have these 2 little gremlins that constantly pick at me for my mobile so they can play games.  But they access different applications and my Facebook status can become “Fubawa%^!aaaaasd;ohjvdasBLADOFIN.” And I look like I’m 4-years old or crazy─definitely, not smart.

And what about this scenario? You hand your smartphone to a buddy to show him some pictures and then your phone gets passed around the table and then it eventually makes its way back to you. The next day you find out that someone at the table thought it was funny to post status updates on your profile that you are looking for your true love (when you’re actually married). Not smart.

This is where “App Lock” comes in. App Lock, included with McAfee Mobile Security (and also McAfee All Access), safeguards against this privacy danger. It allows Android users to protect installed apps against misuse by locking them with the same PIN that’s tied to their McAfee Mobile Security account. Smart!

Make sure you’re protecting your mobile device and your privacy. Lock your apps!

Robert Siciliano is an Online Security Evangelist to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Today, smartphone are connected to the Internet and have much of the same information as the personal computer, if not more. Now Androids and other smartphones have become little mini handheld computers. Carriers are announcing that they’ll be upping the speed of the latest version of their networks, doubling download speeds. And new smartphones will have as much as 64 gigabytes of capacity. That’s more hard drive than my three-year old laptop.

For the next generation of users, the smartphone is replacing the PC as their primary device. Nielsen reports, “We are just at the beginning of a new wireless era where smartphones will become the standard device consumers will use to connect to friends, the internet and the world at large. The share of smartphones as a proportion of overall device sales has increased 29% for phone purchasers in the last six months; and 45% of respondents indicated that their next device will be a smartphone.”

For many of us, your mobile device has already become like your right hand (in my case, my left hand). Not only is it your phone, but it’s used to store some of your most private conversations and confidential information—it’s now your address/phone book, email, digital camera, news source, online banking system and even your wallet—all rolled into one device.

With all this invaluable data and information, and the growth in smartphones and tablets, it’s natural for criminal hackers to see these new devices as a huge opportunity, much like they did with the PC.

So if you have a smartphone or tablet, make sure you take steps to protect yourself.

• Never leave your phone unattended in a public place
• Put a password on your mobile and set your phone to auto-lock after a certain period of time
• When doing online banking and shopping, always log out and don’t select the “remember me” function
• Use mobile device protection that provides anti-theft, anti-malware/antivirus, app protection and web protection. McAfee makes this easy with McAfee All Access, a single software solution to protect all of your devices or you can use McAfee Mobile Security to protect your smartphone or tablet.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

It’s that horrible feeling that comes over you as you realize you no longer have your mobile phone. In the past you might have first thought of the cost of having to buy a new phone and re-enter all your contacts. But now with the advent of smartphones, there’s much more to lose than the device itself.

Because our mobile devices can hold personal and work contacts, account logins, photos, and messages, losing your device means exposing your private world to strangers and identity thieves. They can browse your apps and activities, extract your addresses, download files and pictures, send all your Facebook friends fake or embarrassing content, or gain access to your bank accounts and drain them. And recreating and restoring all the content we have on our smartphones can take hours, if it is even possible.

I’ve lost count of how many phones I’ve found in bars or parks, at the beach or when running along the trails. And the most amazing part is I’ve been able to return all but a very few. And how do I do this? Because most people don’t lock their phones!!! This means I can pick up the phone and got through their contact lists and look for “Mom.” In other cases I just wait for someone to call it and say “Hello I found this phone how can I help you?”

There are some things you can do so you don’t have that freak-out moment.

• Password protect your device—This is the simplest thing you can do to protect the information stored on your device. Not only does it keep strangers from accessing your data, but it may also discourage thieves from taking the device in the first place.
• Regularly backup your data—Don’t be part of the 32% that only does backups once a year! Back up your data at least once a week, so you have electronic copies of all of your valuable information. This way, even if you lose your device, you won’t lose all of your data.
• Don’t store your logins—Rather than having your apps and mobile browser remember your login information, type in your login credentials each time (especially for banking). This way, if a stranger accesses your device they cannot log into your accounts as you. Or better yet, don’t store sensitive data on your phone.
• “Mark” your device—To mark your device, take a screenshot of your emergency contact numbers and use it as your phone’s lock screen. If someone finds your device, it will be easy for him or her to return it to you.
• Write down the serial number—Record your phone’s serial number and store it somewhere other than on your device. If you lose your phone and it eventually turns up, you will be able to identify it.
•  Install mobile security—Software like McAfee^® Mobile Security, which includes antivirus protection, app protection, backup and restore functions, and remote wipe and tracking in the case of loss or theft

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

With all this convenience and access, comes some risk. Criminal hackers see this as an opportunity for them to access your information and make money. And so as the number of mobile devices has grown, McAfee has seen the amount of mobile malware grow.

The Android platform remains the largest target for both mobile malware and spyware. In fact, we see very few mobile threats that are not directed at Android phones. After a slight decline earlier in the year, Android malware has rebounded and almost doubled this quarter with over 20,000 samples.

The infographic below illustrates some of the ways that cybercriminals use to “infiltrate” your mobile device.

What most of these attacks have in common is that they allow a cybercriminal to take over your mobile device in some way. This is why it is critical to protect your mobile device.

• Only buy apps from a well-known reputable app store, such as Google Play
• Keep your operating system software updated
• Be selective about websites you visit
• Avoid clicking links in text messages or emails, especially if they are from people you don’t know
• Stay educated on the latest tricks, cons and scams
• Use comprehensive mobile security, like McAfee Mobile Security that includes antivirus, anti-theft, and web and app protection or comprehensive device protection like McAfee All Access that protects all your devices including your mobile devices