{"id":3197,"date":"2013-08-19T10:00:15","date_gmt":"2013-08-19T14:00:15","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=3197"},"modified":"2013-08-19T10:00:15","modified_gmt":"2013-08-19T14:00:15","slug":"malware-hijacks-mobile-ad-networks-to-siphon-money","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/19\/malware-hijacks-mobile-ad-networks-to-siphon-money\/","title":{"rendered":"Malware hijacks mobile ad networks to siphon money"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.techhive.com\/article\/2046891\/malware-hijacks-mobile-ad-networks-to-siphon-money.html\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/smartphone-malware-100045232-large.jpg\" \/><\/a><\/p>\n<p>Asian cybercriminals have figured out an unusual way to use the architecture of a mobile ad network to siphon money from their victims.<br \/>\nThe new method represents another step in the evolution of mobile malware, which is booming with more smartphones shipping than PCs. Mobile ad networks open up the perfect backdoor for downloading code.<br \/>\n&#8220;It&#8217;s a very, very clean infection vector,&#8221; said Wade Williamson, a senior security analyst at Palo Alto Networks who discovered the new trickery.<br \/>\nFollow the ads<br \/>\nIn legitimate partnerships between ad distributors and developers, the latter embeds the former&#8217;s software development kit (SDK) into the app, so it can download and track ads in order to split revenue.<br \/>\nUnfortunately, how well developers vet the ad networks they side with varies from one app maker to another. If the developer does not care or simply goes with the highest bidder, then the chances of siding with a malicious ad network is high.<br \/>\nmalware<br \/>\nWiliamson found one such network&#8217;s SDK embedded in legitimate apps in online Android stores for several Asian countries, including Malaysia, Taiwan, and China. Once installed, the SDK accesses an Android application package file (APK) and runs it in memory where the user cannot easily discover it.<br \/>\nThe APK typically waits until another app is being installed before triggering a popup window that seeks permission to access Android&#8217;s SMS service.<br \/>\n&#8220;It doesn&#8217;t have to go through the whole process of doing a full install,&#8221; Williamson said. &#8220;It just sits there and waits on the smartphone to install something else and then piggybacks in.&#8221;<br \/>\nOnce installed, the APK takes control of the phone&#8217;s messaging service to send text to premium rate numbers and to download instructions from a command and control server. About 77 percent of Android malware today wring money from victims through paid messaging services, said Juniper Networks&#8217; latest mobile threat report.<br \/>\nNew tactic catches on<br \/>\nWilliamson has seen more than a half dozen samples of the latest malware, which he believes is coming from one criminal group, while acknowledging multiple groups is possible.<br \/>\nAndroid users in Asia and Russia are more susceptible to Android malware, because many apps are downloaded from independent online stores. In the U.S., most Android users take apps from the Google Play store, which scans for malware and malicious ad networks.<br \/>\nBecause of the effectiveness of the latest malware, Williamson expects criminals in the future to use the same scheme to download more insidious malware capable of stealing credentials to online banking and retail sites where credit card numbers are stored.<br \/>\nThe same pathway could also be used to steal credentials for entering corporate networks.<br \/>\n&#8220;As soon as you have a vector like this, the difference between creating malware that sends spoof SMS messages versus looks for the network and tries to break in is just malware functionality,&#8221; Williamson said.<br \/>\nvia <a href=\"http:\/\/www.techhive.com\/article\/2046891\/malware-hijacks-mobile-ad-networks-to-siphon-money.html\">Malware hijacks mobile ad networks to siphon money | TechHive<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Asian cybercriminals have figured out an unusual way to use the architecture of a mobile ad network to siphon money [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7],"tags":[65,655],"class_list":["post-3197","post","type-post","status-publish","format-standard","hentry","category-security","tag-android","tag-malware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-Pz","jetpack-related-posts":[{"id":7570,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/05\/malicious-advertisements-on-major-sites-compromised-many-many-pcs\/","url_meta":{"origin":3197,"position":0},"title":"Malicious advertisements on major sites compromised many, many PCs","author":"NCCT","date":"February 5, 2015","format":false,"excerpt":"Attackers who have slipped malicious advertisements onto major websites over the last month have potentially compromised large numbers of computers. Several security vendors have documented attacks involving malicious advertisements, which automatically redirect victims to other websites or pages that silently attack their computer and install malware. \u201cWe certainly see malvertising\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3213,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/20\/researchers-manage-to-get-malware-published-in-apples-ios-app-store\/","url_meta":{"origin":3197,"position":1},"title":"Researchers manage to get malware published in Apple&#039;s iOS App Store","author":"NCCT","date":"August 20, 2013","format":false,"excerpt":"While the posting of malware remains a rare occurrence on Apple's iOS App Store, a team of security researchers figured out a way to get a malicious piece of software past Apple's certification team. The team from Georgia Tech said that the app was approved and published by Apple in\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6209,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/12\/classic-facebook-color-changer-scam-makes-another-comeback\/","url_meta":{"origin":3197,"position":2},"title":"Classic Facebook &#8220;Color Changer&#8221; scam makes another comeback","author":"NCCT","date":"August 12, 2014","format":false,"excerpt":"On Facebook, some scams are so alluring that they seem to live forever. So it goes with \u201cFacebook Color Changer,\u201d a new malware attack that masquerades as a way to change the appearance of Facebook\u2019s Website. Security firm Cheetah Mobile claims that the latest scam has affected more than 10,000\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3106,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/05\/attackers-reported-seeding-cloud-services-with-malware\/","url_meta":{"origin":3197,"position":3},"title":"Attackers reported seeding cloud services with malware","author":"NCCT","date":"August 5, 2013","format":false,"excerpt":"LAS VEGAS -- Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here. Traditionally, malware writers had distributed their malicious code from their own sites. But as security vendors get better\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7480,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/01\/20\/nsa-secretly-hijacked-existing-malware-to-spy-on-n-korea-others\/","url_meta":{"origin":3197,"position":4},"title":"NSA secretly hijacked existing malware to spy on N. Korea, others","author":"NCCT","date":"January 20, 2015","format":false,"excerpt":"A new wave of documents from Edward Snowden's cache of National Security Agency data published by Der Spiegel demonstrates how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations' hacks for intelligence collection and other purposes. In one case,\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/01\/grand-peoples-study-house-computer-lab-640x436.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/01\/grand-peoples-study-house-computer-lab-640x436.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/01\/grand-peoples-study-house-computer-lab-640x436.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":6833,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/11\/12\/ios-security-hole-allows-attackers-to-poison-already-installed-iphone-apps\/","url_meta":{"origin":3197,"position":5},"title":"iOS security hole allows attackers to poison already installed iPhone apps","author":"NCCT","date":"November 12, 2014","format":false,"excerpt":"Security researchers have warned of a security hole in Apple's iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data. The \"Masque\" attack, as described by researchers from security firm FireEye, relies on enterprise provisioning\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=525%2C300 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=3197"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3197\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=3197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=3197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=3197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}