If we could just see them all, we would rid our lives of bug infestations with doses of (environmentally friendly) spray. But what about the bugs that we can’t see? What about the bugs that have snuck past, and infiltrated the hidden corners of our lives, then quietly lie dormant until they can strike where it hurts most – our finances, our personal lives and our private information. You might ask, “How can a few bugs do that?”  You may forget: there are bugs that we cannot see, electronic bugs that we unknowingly let into our lives through our phones, tablets, apps and downloads and cannot control. They infest, they attack, they steal, and no amount of bug spray in the world can help with that.

Most recently, the Russian “BadNews Bug” has proven to be an example of this. While technically not a bug in software terms, though it’s been called this in the press, security researchers have identified 32 separate apps on Google Play that have harbored “BadNews.”  BadNews hides out as an innocent, yet somewhat aggressive, advertising network able to conceal its identity and successfully avoid detection systems by hiding in random daily use programs, such as recipe generators, wallpaper apps and games. Sneaking in when a mobile user least expects it, the second part to this infection occurs when the BadNews begins to deliver the AlphaSMS, a malicious premium SMS dialer, through the aggressive ad network and ultimately begins stealing the victim’s credit by sending text messages to premium rate numbers. Day-by-day, month-by-month, money seeps out of the user’s account.

Many people are now left wondering – how many people were infected? Was I infected? Can I be infected? While numbers of people affected are ranging from 2 million to 9 million according to the press, the main concern that should rise here is that the BadNews “bug” isn’t the only bug of its kind on the market. There are hundreds – if not thousands – of bugs lurking in dark corners and fine prints that can very easily sneak into our lives. In 2013 alone, the mobile ad business is a rapidly growing $6 billion industry, and without the proper protection, we may fall victim before we know it.

So how do we do it; how can we protect ourselves? There are ways, of course – besides having to scrutinize your phone bill every month for incurred premium charges – that can protect you from dangers such as this. Depending on your service provider and country, you may have the option to turn off all premium services or be notified when a premium charge is about to incur. There are also security apps that can prevent this from the get-go, such as McAfee Mobile Security, which will ensure all possible protection for your finances and your personal life. Whatever the case is for you, the one thing you should not do is sit by and let creepy crawlers infest your life. Protect yourself. Find your virtual bottle of bug spray today!

Most of the variants of this malware have the same functionality, with only slight differences in their implementation code. They simply show the fraudulent web pages on the in-application web component or the device’s browser.

McAfee has also found a variant of this family of malware with more dangerous features. This variant retrieves the device user’s Google account name–the email address–as well as the phone number, and sends the information to the attacker’s remote server.

The application description page on Google Play.

This application, tv.maniax.p_urapane1, is a 16-piece slider-puzzle game consisting of pornographic images. It also plays movie files when the user completes the game.

Unlike previous variants from this family of fraudulent malware, this application requires several permissions at installation that are usually unnecessary for this type of game:

• android.permission.READ_PHONE_STATE
• android.permission.GET_ACCOUNTS

The malware’s list of required permissions.

Behind the scenes, the malware retrieves the user’s data using these permissions and sends it to a remote server by opening the URL http://man****app.com/m/users/aftpur/GOOGLE_ACCOUNT_NAME/PHONE_NUMBER. It stores the data in a MySQL database server using the Java Database Connectivity API in a database-driver library in the application.

Malware application screens.

Google account name and phone number data sent to the attacker’s server.

This application also displays some “advertisement” links at the bottom of the screen. The application’s description page on Google Play says that the developer does not guarantee the safety of these linked advertisements, implying that they are not aware of the contents of the ads. In fact, however, the application simply displays the image files bundled in the application package and invokes the browser with the hard-coded URL http://pr**.*obi/?neosp_nontop_eropne01, which is the fraudulent web page often used in other variants of this one-click-fraud family of malware.

Fraudulent web pages.

The stolen Google account name and phone number are not directly used in the fraudulent page opened from this application. However, we expect the attacker will try to use this information for future malicious activities.

Fortunately, this application was deleted from Google Play within a day after it was added, and so the number of victims should be small. But the appearance of this variant indicates that the attackers are determined to collect personal information from their victims and that they are capable of developing variants with more advanced features than previous ones.

McAfee Mobile Security detects this application as Android/OneClickFraud, and will continue to monitor for more fraudulent activities from this family in Japan.

Our investigation into the apps have shown that new variants of one-click fraud have been altered so that the fraud is not immediately identifiable unless the victim interacts with the apps–in effect making the apps “two-click fraud” or even “three-click fraud”–and making the automated screening and scanning process difficult.

In fact, these applications simply invoke the web browser on the device or the web-view component inside the application to load the web contents. This extra step by the fraudulent activities makes the automated detection of this type of malware more difficult.

One-click fraud is a threat vector that is unique to Japan and has been around for more than a decade on PCs, but recent aggressive tactics during the past year show that the criminals behind this scam are committed to exploiting mobile devices.

By using two or more clicks to commit fraud, an attacker can more easily trick users into believing that they are actually registered in the fraudulent service. Victims are more likely to pay money or give detailed personal information to the attacker.

In the current fraud, the attacker used multiple developer accounts on Google Play, as well as almost the same description of the applications across these separate accounts. This indicates that this type of fraudulent application variant is easily created and distributed. Actually, the attacker created new developer accounts soon after old accounts were banned due to malware reporting and published almost the same applications with minor changes under these new accounts.

What is worse, the essential part of this fraud occurs on the websites rather than inside the Android application, so there are still risks that the number of victims will increase via web browsing even if these applications are removed from Google Play.

McAfee detects this malware family as Android/OneClickFraud. We also detect and block the web accesses to the URLs used in this series of online fraud to protect users when they encounter the malicious fraud sites using their browsers. Make sure to keep your McAfee security products updated and stay tuned to McAfee Labs blogs for additional information as we continue our investigation.

Both applications present themselves as “optimizers” that make Android devices faster and more responsive by cleaning the browser cache, optimizing network settings, clearing unused log files, and so on. When the applications are executed, they display fake user interfaces:

In the case of DroidCleaner, the graphical user interface is more elaborate; the application displays three different cleaning options that lead to the same fake progress bar:

Meanwhile, in the background and without user consent, a service establishes a communication with a control server. The commands include common actions performed by other Android malware:

• Sending device and network information (IMEI, IMSI, phone number) to a remote server
• Sending and deleting SMS messages (could be used to subscribe the user to premium-rate services)
• Stealing sensitive personal information (installed applications, pictures, contacts, SMS messages, GPS coordinates)
• Mapping the contents of the SD card (files and directories) to later upload to the remote server

Other less common functions are also implemented as available commands:

• Executing shell commands remotely
• Rebooting the device using the command “reboot” on rooted devices
• Launching another application installed in the device without user consent
• Setting call forwarding and changing the ringer mode to silent so the user is not aware that calls are being redirected to another number

One of the most interesting commands in this new Android malware is UsbAutorunAttack, which consists of downloading three files (autorun.inf, folder.ico, and svchost.exe) from a remote server to place in the SD card and infect Windows computers that have the AutoRun feature enabled. This new distribution method may not be as effective because the latest version of Windows has AutoRun disabled by default; yet it is interesting to see Android malware trying to infect Windows computers.

Another interesting command in this threat is CallOut, which aims to initiate the dialer’s pad with a specific phone number. The implementation of this command reminds me of the “Dirty USSD” vulnerability, discovered last year, because this one uses the protocol “tel:,” which can be used with a special USSD code to wipe an Android device. Although we haven’t seen this attack in the wild and the issue has already been fixed for most devices with an OTA software update, due to the fragmentation problem of Android it is possible that your device doesn’t have the latest version of the operating system. To find out if your device is vulnerable, McAfee offers a test page that performs a test with nonmalicious code. If your device is vulnerable, you can download and install the McAfee Dialer Protection app from Google Play.

This threat also executes phishing attacks aimed to steal Android (Google) and Dropbox credentials by showing the following user interface to the user when the commands creds_attack and creds_dropbox are sent by the control server:

Once the user enters the information and taps “Login,” the stolen credentials are sent to the remote server while the message “Wrong credentials” is displayed.

McAfee Mobile Security detects this mobile threat as Android/Ssucl.A. The Windows threat is detected by McAfee VirusScan/Total Protection as Generic Dropper.p.

Free apps, much like Halloween candy, can be tempting but not worth indulging. Cybercriminals have been busy this season distributing malicious apps with the sole purpose of stealing the personal information stored on your phone, sometimes even sending out expensive texts to your contacts without your knowledge. A study conducted by Leibniz University of Hannover and Philipps University of Marburg found that 8% of apps have the capabilities to steal your personal information or infect your phone with malicious malware.

Popular free apps downloaded through Google Play can access your personal information in several ways. By not being aware before downloading that treat of an application can quickly trick you into stealing your personal information.

Simply by “checking-in” at your favorite restaurant or tagging the location of your latest picture you might be giving cybercriminals more information than you realize. When opened, specific apps are able to track and pinpoint your exact location on any given day.

Other apps obtain your information through permission given by Android users themselves. By accepting the terms of agreement you may be unknowingly giving your app permission to search contact lists, personal photos and email addresses.

Malicious attacks from your favorite apps can be easily avoided by being aware, smart and secure. Follow these five steps to ensure your mobile device is safe before downloading that app:

1. Be aware of bad apps— just knowing about the problem can help you avoid trouble. Be suspicious when you see negative reviews of an app or come across a free app that seems too good to be true. Check out the McAfee Mobile Security Advice Center for more info.
2. Do your research— before downloading an app, check other users ratings and read reviews of the publishers. These ratings and reviews will give important insight of potential problems others have encountered with the app.
3. Only purchase from a reputable app store—stick with legitimate vendors, such as Google Play or the Apple App Store. Android users can also avoid installing non-market apps by deselecting the “Unknown Sources” option in their device’s Application Settings menu.
4. Check the permissions— when you are installing an app, check to see if it is asking for permission to access your personal data, location, camera or even your network. Understanding all permissions can be difficult but with the help of McAfee App Alert technology, users will have a better understanding whether an app is risky to install.
5. Get mobile security— before downloading any new apps, make sure you install mobile antivirus software on your phone to help protect you from malicious apps and other mobile threats. Software options can include backup and restore functions, as well as the ability to locate and track your device.

Hackers can use your mobile device as an access point to data that have historically been exclusively stored to your laptop or desktop, such as social network and bank accounts. One of the most harmful (and popular) mobile threats has to do with apps. Installing apps from unknown or untrusted sources like apps outside the official Google Play Market could allow hackers to steal sensitive and private information stored on your mobile device including passwords, photos, contacts and location data.

As the key to your digital identity, hackers can use your mobile device as a way to get to other devices. One of the recently discovered methods attackers are using is a malware called Android/NotCompatible. This Android Trojan is a drive-by download that turns an infected mobile device into an access point, or proxy, to break into private computer networks. This means that this hack could not only lead to attacks on your other devices, but also the devices of anyone connected on the same network as you. It works by forwarding the network traffic sent by the control server to another host in the network, which could be any other device inside a corporate network if the mobile device is connected to an internal Wi-Fi. Essentially, if you fall victim to this drive-by download, you are exposing attackers to your entire digital life as well as that of anyone connected to your network – such as your colleagues, family or roommates. Worms and Man-in-the-Middle attacks are other examples of threats in which a hacker could potentially use one mobile device as the access point to other devices.

With the type and frequency of mobile threats on the rise, consumers need to ensure that they cut off hackers at the gateway, their mobile devices. While consumers are used to PCs being almost universally equipped with firewall protection and some sort of anti-malware defense to guard against attacks, they don’t realize that mobile devices are usually left defenseless and don’t take the necessary measures to protect their digital identity. In fact, according to a study that The National Cyber Security Alliance conducted with McAfee, 64 percent of Americans have never installed security software or apps on their mobile device in order to make it more secure from viruses or malware.

Before you allow hackers to use your mobile device as the gateway to your online identity, or the devices of those in your network, make sure you are using a mobile protection solution that defends against the aforementioned hacks and helps you understand the risky behaviors associated with apps.

Recently 17 suspicious applications, uploaded by the developer thasnimola, were found in the official Google Play market:

Most of them use a shield as an icon to show that they could be related to “protection” software but some of them also use non-AV names and descriptions with popular keywords like “free,” “Video Downloader,” “Call recorder,” and “sms” to attract users’ attention and encourage the installation of the app. One interesting app is Top Free, which claims “Fast and lightweight malicious app protection for your phone.” Looking at this one further, it is clear that Top Free pretends to be AV software because it uses the screenshots of legitimate AV software as its own:

Some of them also use an “Antivirus FREE” banner on the app’s web page:

However, unlike fake-antivirus software threats for PCs and Macs, these applications do not gain revenue from users by detecting nonexistent Android malware. Instead, these apps make money using a more legitimate method: advertisements. All the suspicious apps were created using the same free online service used to create the Android/DIYDoS hack tool. For this reason the behavior is nearly same: When the application is executed, a WebView component shows the contents of a URL that is stored in an XML file inside the res/raw folder:

One difference between these apps and Android/DIYDoS is that these include an advertisement module–provided by the online service–that creates the applications which send sensitive device information (IMEI, GPS coordinates) to a remote server:

Here is the complete list of the unwanted applications that we reported to Google:

All of these have already been removed from Google Play. If you have enabled  detection for potentially unwanted programs (PUPs, our default setting), then McAfee Mobile Security for Android will detect these apps as Android/DIYAds.

Or anime/adult Japanese videos:

When the application is about to be installed, two suspicious permissions–read contact data and read phone state and identity–are requested. Neither is needed for the principal purpose of the application, which is to display a video from the Internet. The reason for these requests becomes clear because the first action that the malware takes when it executes is to obtain, in the background, the following sensitive information from the device without the user’s consent:

• Android ID: Unlike most Android malware and PUPs (potentially unwanted programs) that gather the IMEI to uniquely identify a device, this malicious application obtains the android_id which according to the Android API is a “64-bit number that is randomly generated on the device’s first boot and should remain constant for the lifetime of the device.”
• Phone number: Obtains the phone number of the device. READ_PHONE_STATE permission is required to gather this information.
• Contact List: Gets the name, telephone number, and email of every person in the contact list.

While the data is harvested, the victim sees this “loading” message:

Once the information is obtained, the malicious application sends it to a remote server in clear text:

If the data was sent successfully, the application requests a specific video to the same server and displays it using a VideoView component. If the malware fails at its background theft (for example, the device does not have an Internet connection), a message in Japanese says that an error has occurred and the video has not loaded:

So far we have discovered 15 applications from two developers that, according to Google Play statistics, have been downloaded by at least 70,000 users. Due the privacy risk that these applications represent to Android customers, all of them have been removed from the market. McAfee Mobile Security detects these threats as Android/DougaLeaker.A. Users should verify in the Google Play market prior installation that the application does not request permission to perform actions not related to its purpose.