Thursday, June 27, 2013

NoCom malware is still spreading.

     A recent blog posting from Virus Bulletin has given updated information for an Android Trojan called NotCompatible that was first noticed by Lookout in May. Not much has changed since the original samples which can currently be found on Contagio Mobile. I got a chance to take a quick look at this new version, which can be downloaded here (Password = infected) after receiving some spam from a friend in my contact list with a Yahoo account.

   A quick overview shows that the link on the hacked site (this one is already inactive as these change about every 24 hours) when click on with anything other then an Android device will redirect to a scam designed to get the user to purchase a fake product. The link (hxxp://eefxxs[dot]com/) is a fake Fox News report on a "miracle" diet supplement.  I have informed Fox of the copyright infringement and will update the post if the fake Fox News Report has been removed.


  When clicked with an android device it will redirect and download the "Android Security Update".  Of-course never install anything that downloads seemingly out of no where and especially from a link in an email.
However, with the guises of an official security update and lack of permissions (The only permission it requires is use of the internet) a user may be tricked into installing this.

     Info for the sites this redirects to can be found on Virus Total's reverse IP lookup feature using the IPs:



    Once installed it runs in the background with no icon. It also takes up very little processing power and battery. How this app works is anytime the Android device connects to the internet the app will then announce itself to the Command and Control server and allow the device to be used as a TCP relay. The Android device can then be used as a Proxy to hide more criminal activity. It can potentially cause problems with devices on limited data plans or be used to steal unencrypted internet traffic through the device.

The current C&C server in this variation is:
hxxp://45362545233224[dot]ru/

Originally it used hxxp://notcompatible[dot]eu/, hence the name NotCompatible.

Stay safe out there
-R`/4N

Skip the Android malware & get a safe Trojan free factory unlocked iPhone! 

Shop Amazon - Unlocked iPhones

Thursday, June 6, 2013

Android Ikangoo "Porn" Trojan


      Another variant of  Android trojan SmsReg has been spotted in the wild, This one called Ikangoo, and is named after the website it downloads from.

      "Dial/SmsReg!Android" is an application for mobile phones running Android which silently registers the victim to non-free services. It usually comes as a sexy or dating application, and silently sends SMS messages to particular short numbers that subscribe the victim to the corresponding service. The subscription is not free. Its costs depends on the victim's country and the service he/she subscribes to. For instance, it can go up to 10 dollars per month."

(http://www.fortiguard.com/search.php?action=detail_by_virus_name&data=Dial/SmsReg!Android)


      Like versions in the past this one uses adult porno videos that are actually hosted online for free.  It signs you up to a monthly fee on your phone bill silently.  If you don't have service you receive a pop-up telling you that you can't activate these in your area.

      The downloads of the different versions for language and "featured girl" can be found:


hxxp://android.ikangoo.es/apps/xvideoz/apks/COOL3/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/COOL4/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/JUANCA3/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/JUANCA4/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/JUANCA5/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/KAB/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/PUBLIC/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/REPOR2/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/TEST/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/XVIDEOZ/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks/XVIDEOZ/xvideoz2.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks3/XVIDEOZ/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks3/REPOR2/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks3/PUBLIC/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks3/JUANCA5/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks3/JUANCA4/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks3/JUANCA3/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks3/COOL4/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks3/COOL3/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks2/XVIDEOZ/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks2/TEST/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks2/REPOR2/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks2/PUBLIC/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks2/JUANCA5/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks2/JUANCA4/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks2/JUANCA3/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks2/COOL4/xvideoz.apk
hxxp://android.ikangoo.es/apps/xvideoz/apks2/COOL3/xvideoz.apk


      I would recommend to not download adult content on to your phone as it is not regulated by anyone.  However, the adult industry is huge and it is making its way into the Android markets There are safe "18+" apps out there if one is to look for them. With that said though be mindful of any app that claims to be free porn...  Google Play doesn't allow for nudity so any adult app must be downloaded in an alternate market.  These alternate markets are dangerous and full of the kind of malware that security experts warn about all the time, so at the very least download a mobile Antivirus and keep you device "STD" free. You can get them free right off the Amazon market worldwide.


Stay safe out there
-R`/4N