Fake Vertu app in Japanese. (Click on images to enlarge.)

On installation, Android/Smsilence.C attempts to display a loading screen, while in the background registering the device phone number with an external server [XXX.XX.24.134] by sending an HTTP post. The malware then registers an Internet filter on the local device so that any incoming messages are handled first by the Trojan and then forwarded to the same server. The loading screen eventually stops with the message in Japanese or Korean reporting that the service was unavailable and to please try again.

McAfee’s research into the control management system used by this threat has shown that multiple domains (pointing to the same server) were used in addition to multiple guises to spread the threat. Around 20 fake branded apps–from coffee to fast-food chains, including an antivirus product from Korea that was uploaded and revoked from Google Play–were used. Despite a lack of sophistication compared with other mobile botnets, Android/Smsilence was still able to infect between 50,000 to 60,000 mobile users, according to our analysis.

Fake Vertu app in Korean.

The new variant now extends to Japanese victims. Most other threats targeting  Japan this year have been minor variations of one-click fraud (also called scareware), which has been around in one form or another since 2004. Devices infected with Android/Smsilence.C are capable of sending back a lot more information, in addition to downloading additional spyware to the infected device.

Because carriers in Japan use the CMAIL protocol for text messaging, attempting to control and maintain a mobile botnet from outside of Japan is not easy (due to the security features implemented by Japanese carriers). We wonder if there was a local accomplice facilitating the spread or control of infected devices. This would also explain the function of a secondary package that is downloaded to an infected device only on demand by the botnet controller, and contains additional spyware functionality not limited to text messaging.

The most bizarre aspect of this new strain remains to be explained, and highlights a limitation in the antimalware research field. Regardless whether we analyze an Android Trojan or a complex threat like Stuxnet, given enough time we can reverse-engineer any piece of code into its basic building blocks. Nonetheless, there are sometimes aspects to a case in which no matter how much time is spent investigating, we have no idea what the malware authors were thinking. In this case we discovered a file inside the malware that changes the package hash; that’s an evasive technique dubbed server-side polymorphism, and attempts to avoid detections by antimalware vendors. But it was not the technique that was confusing, even though this is the first time we have seen this technique used outside of an Eastern European threat family. The chosen file, the key component in the evasion technique, was a picture of London Mayor Boris Johnson.

The malware authors included an image of  London Mayor Boris Johnson.

Recently the author of Citadel, Aquabox, has been banned from a large online forum that sells malware and other services to cybercriminals. Some in the security industry predict that this will be the downfall of the Citadel Trojan; this very well may be the case. However, at the moment McAfee Global Threat Intelligence shows that Citadel remains a very active threat and continues to target victims in several countries. As with any sophisticated malware—such as Zeus and SpyEye—that ceases development, this Trojan’s use will continue as long as it provides value to cybercriminal operations.

McAfee Labs concludes that some groups—and especially the “Poetry Group”—have shifted tactics to use Citadel in ways other than what it was originally intended for. We also see from our telemetry data gathered from the field that Citadel still remains active in many parts of the world. Read the McAfee Labs report Inside the World of the Citadel Trojan.

The Poetry Group

Summary of the group’s activity:

• 27 Japanese government offices compromised across three distinct campaigns
• 43 government offices targeted in Poland
• Victims found in Poland, Denmark, Sweden, Spain, Netherlands, Estonia, Czech Republic, Switzerland, and Japan
• More than a half-dozen campaigns conducted by this group since October 2012
• Compromised more than 1,000 victims worldwide with their campaigns

This group has been actively using Citadel to target government offices around the world since October 2012. From our field telemetry, we were able to pinpoint the regions and identify targets and victims spanning more than a half-dozen campaigns.

Our threat map shows that their focus remains on Poland and Denmark, which have the highest infection numbers. Japan is the next most popular target.

One interesting campaign that we also observed in our research infected 13 victims in Poland, all in government offices. This was a very targeted campaign indeed, focusing at first on selective targets across the country. The campaign began late in December 2012 and ended on Jan 23. Furthermore, we found a list recovered from process memory pertaining to certain city-level government domains in Poland. Many of the telemetry hits matched government offices in the targeted city, which led us to conclude that the group was using this list as a filter to target certain local government sites.

The group orchestrating these attacks embeds strings of poetry as a string-table resource in the malware binary. Many of these poetic statements are rather cryptic and are quoted from Shakespeare. At first glance they appear meaningless. However, in some cases we found political comments referencing the target country.

In one of the malware binaries, the group made a rather harsh statement toward Poland, which to date has had 379 victims of this Citadel campaign.

This type of targeted messaging goes hand in hand with another reference made toward Denmark, which followed Poland in magnitude with 218 infected victims.

After an analysis of 300 unique Citadel Trojan samples, we conclude that the poetry strings are not caused by a common tool nor or they included in Citadel by default; they are the work of the Poetry Group. We suspect that Poetry Group may be a byproduct of a for-hire data-gathering operation for a private clientele; and their tool of choice is Citadel. McAfee Labs will continue to monitor their activity.

The report is available here.

Or anime/adult Japanese videos:

When the application is about to be installed, two suspicious permissions–read contact data and read phone state and identity–are requested. Neither is needed for the principal purpose of the application, which is to display a video from the Internet. The reason for these requests becomes clear because the first action that the malware takes when it executes is to obtain, in the background, the following sensitive information from the device without the user’s consent:

• Android ID: Unlike most Android malware and PUPs (potentially unwanted programs) that gather the IMEI to uniquely identify a device, this malicious application obtains the android_id which according to the Android API is a “64-bit number that is randomly generated on the device’s first boot and should remain constant for the lifetime of the device.”
• Phone number: Obtains the phone number of the device. READ_PHONE_STATE permission is required to gather this information.
• Contact List: Gets the name, telephone number, and email of every person in the contact list.

While the data is harvested, the victim sees this “loading” message:

Once the information is obtained, the malicious application sends it to a remote server in clear text:

If the data was sent successfully, the application requests a specific video to the same server and displays it using a VideoView component. If the malware fails at its background theft (for example, the device does not have an Internet connection), a message in Japanese says that an error has occurred and the video has not loaded:

So far we have discovered 15 applications from two developers that, according to Google Play statistics, have been downloaded by at least 70,000 users. Due the privacy risk that these applications represent to Android customers, all of them have been removed from the market. McAfee Mobile Security detects these threats as Android/DougaLeaker.A. Users should verify in the Google Play market prior installation that the application does not request permission to perform actions not related to its purpose.

Why is this? Why would we Americans have 10 times more computer infections than the Japanese? What are they doing right? Is it something we can adopt here?

This statistic, obviously, got me going. The article suggested that one of the big problems for Microsoft and the computer industry is “the propensity of many computer users to click on enticing links in their email or visit seductive but malicious Web sites…”

Are Americans, in general, more gullible than the Japanese? Or are we just more adventurous as a people, willing to take more risks? Or just less educated and informed on the nature of online threats? Or may be it is just a culture thing, where mistrust is a basic Japanese value? Do the Japanese hold their guard up higher or are they just better at detecting B.S. or smelling a rat?

I welcome your ideas and theories. If you have Japanese contacts, send them a link to this blog and ask them to weigh in and possibly enlighten us…U.S.