Cybercriminals use social engineering to extend lifecycle of malware by ensnaring tech-savvy users with plausible scenarios

Android smartphone users remain a lucrative target as the platform currently has 59 percent global market share and is on track to stay the most shipped mobile operating system until 2016 . Much of this new malware has also been identified as originating from China and targeting users there and in neighbouring markets, reflecting the fact that this is now the world’s top smartphone market with over one million mobile web users .

The China connection

This quarter saw the introduction of the first Android bootkit, ‘DKFbootkit’, which masquerades as a fake version of a legitimate application and damages the smartphone’s Linux kernel code by replacing it with malicious code. Users are tricked into clicking ‘OK’ to the notifications the malware provides, giving it permission to add itself to the boot sequence and spring into life once the device is activated. In rooting the device, this attack turns the smartphone into a zombie that is fully under the cybercriminal’s control, which makes it a serious threat to Android users. This attack is spread over the third party applications market – and not the official Google Play - in China.

Malware authors also spammed China, Japan, South Korea, Taiwan and the United States with Trojan-infected email messages related to political issues around Tibet. These were released on the back of a Microsoft ‘Patch Tuesday’ security bulletin with the authors rushing to take advantage of the ‘window of opportunity’ time lag between the patch release and when users were able to implement it. The email attachment contains an embedded encrypted executable file which collects sensitive user information such as passwords, and is able to download additional malware for key logger facility or to get a new Trojan configuration.

Michael McKinnon, Security Advisor at AVG (AU/NZ), said: “In AVG’s experience, an operating system attracts attention from cybercriminals once it secures five percent market share; once it reaches ten percent, it will be actively attacked. It’s no surprise therefore that our investigations uncovered a further upsurge in malware targeting Android smartphones given its sustained popularity, with new attacks focused on rooting the devices to give cybercriminals full control. What’s new this quarter is the significant upsurge in these threats originating from China.”

The end of antivirus?

For all of the sensationalism around the discovery of Stuxnet in 2010 and its 2012 equivalent, Flame, the average consumer was never actually a target for either malware. While rumours of cyber-attacks were circulated about both, Flame was actually not a patch on the sophistication of Stuxnet in terms of malware authoring and in particular, the techniques used in the payload were not very impressive. The security industry has already adapted to the unexpected nature of threats with traditional signature detection being just one layer within a multi-faceted security solution.

Consumer scams

The latest version of the LizaMoon mass injection SQL attack this quarter deceives users into downloading a Trojan or some rogue software by exploiting human interest and hiding inside non-existent celebrity sex videos or fake antivirus websites. Injecting malicious code into legitimate but vulnerable websites, this attack targeted Mozilla’s Firefox® browser and Microsoft’s Internet Explorer® with two attack vectors. In Firefox, users are lured by raunchy videos of socialite Paris Hilton and actress Emma Watson and asked to update their Flash installation in order to view them. Users never get to see the video as the malware installed is a Trojan disguised as a Flash update.

In Internet Explorer, users receive a prompt seemingly from an antivirus website which would claim to have found malware on their computer. They are encouraged to download the malware and, once installed, to ‘purchase it’ which would then simply remove the malware in return for payment. Should the victim decide not to purchase, nag screens would pop up until the rogue was cleaned from the machine. In the most recent version, the malware was updated to enable ‘drive-by downloads’ where victims need only visit the website to become infected and it is no longer enough to close the web page to be safe.

Rovio’s ‘Angry Birds Space’ application was also frontline for consumer scams this quarter. Using the same graphics as the legitimate version, a fully functional Trojan-infected version was uploaded to unofficial Android application stores. It uses the GingerBreak exploit to root the device, gaining Command and Control functionality to communicate with the remote server to download and install additional malware, botnet functionality, and to enable the modification of files and launch of URLs.

To download the full Q2 2012 Community Powered Threat Report, please visit: http://www.avg.com.au/files/media/avg_threat_report_2012-q2.pdf.

About the report

The AVG Community Protection Network is an online neighbourhood watch, where community members work to protect each other. Information about the latest threats is collected from customers who participate in the product improvement program and shared with the community to make sure everyone receives the best possible protection.

The AVG Community Powered Threat Report is based on the Community Protection Network traffic and data collected from participating AVG users over a three-month period, followed by analysis by AVG. It provides an overview of web, mobile devices, spam risks and threats. All statistics referenced are obtained from the AVG Community Protection Network.

AVG has focused on building communities that help millions of online participants support each other on computer security issues and actively contribute to AVG’s research efforts.

###

Keep in touch with AVG (AU/NZ)

• For breaking news, follow AVG (AU/NZ) on Twitter at twitter.com/avgaunz • Join our Facebook community at www.facebook.com/avgaunz • For security trends, analysis, follow the AVG (AU/NZ) blog at resources.avg.com.au

AVG (AU/NZ) has a comprehensive range of security tips on its web site at http://www.avg.com.au/resources/security-tips/. For video tips from AVG (AU/NZ), see http://www.youtube.com/user/avgaunz.

### ENDS ###

About AVG (AU/NZ) Pty Ltd — www.avg.com.au

Based in Melbourne, AVG (AU/NZ) Pty Ltd, an Avalanche Technology Group company, distributes AVG Technologies’ software, namely the AVG Internet Security and Mobile Security product range in Australia, New Zealand and the South Pacific.

AVG Technologies’ mission is to simplify, optimise and secure the Internet experience, providing peace of mind to a connected world. AVG’s powerful yet easy-to-use software and online services put users in control of their Internet experience. By choosing AVG’s software and services, users become part of a trusted global community that benefits from inherent network effects, mutual protection and support. AVG has grown its user base to 114 million active users as of March 31, 2012 and offers a product portfolio that targets the consumer and small business markets and includes Internet security, PC performance optimisation, online backup, mobile security and identity protection.

AVG (AU/NZ) Media Contacts:

Michael McKinnon AVG (AU/NZ) 03 9581 0845 mmckinnon@avg.com.au Shuna Boyd BoydPR 02 9418 8100 shuna@boydpr.com.au

AVG Technologies – Investor Relations

AnneMarie McCauley AnneMarie.McCauley@avg.com

Media resources, including logos, box shots, screen shots etc., are available online at: http://www.avg.com.au/media/ Join the AVG Technologies’ Community for information, video content and pictures: http://www.flickr.com/photos/officialavg/sets/