Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Android adware and Romanian hackers on the rise: Fortinet

Madura McCormack | Oct. 9, 2012
Threat landscape research highlights the uprising of mobile intruders and cyber criminals

Android takes another hit, a mobile banking Trojan is bypassing your two-factor authentication and the Romanians are finding holes in the Web.

Network security company Fortinet reported the new findings from its threat landscape research for the period between 1 July and 30 September today.

Leading the pack, two Android-based mobile adware have surged in activity to a point where it has been detected by close to one percent of all FortiGuard monitoring systems in the Asia Pacific and Europe, Africa and Middle East (EMEA) regions. The number was even higher in the Americas at four percent detection.

Fortinet referred to the activity of the Android/NewYearL and Android/Plankton variants as being comparable to Netsky.PP, the infamous Internet spam generator.

The adware embeds a common toolset for unwanted advertisements displayed through the mobile status bar, tracks user through their IMEI (International Mobile Equipment Identity) number and drops icons from the device's desktop, according to Fortinet.

"The surge in Android adware can most likely be attributed to users installing on their mobile devices legitimate applications that contain the embedded adware code. It suggests that someone or some group is making money, most likely from rogue advertising affiliate programs," said Guillaume Lovet, senior manager of Fortinet's FortiGuard Labs Threat Response Team.

Mobile banking and its pesky blemish

A pimple on its own, the "Zeus-in-the-mobile" (Zitmo) Trojan seems to be evolving into stubborn acne.

According to Fortinet, Zitmo now has added botnet-like features that could allow cyber criminals to control the Trojan via SMS commands.

The mobile Trojan is circumventing the two-factor authentication used by banks and online merchants by intercepting the SMS confirmation codes.

Lovet believes the Zitmo code is currently being tested by its authors or deployed for very specific and targeted attacks. He also added that only a few instances of the malware have been detected in Europe and Asia.

Romanian hackers

Fortinet reported a large detection of scanning to identify vulnerable versions of the mySQL administration software (phpMyAdmin) in order to take control of those servers.

Developed by Romanian hackers, ZmEu contains code strings in the payload that refer to AntiSec, a hacktivist group compromised of members from Anonymous and the now defunct LulzSec.

"The goal behind an attack on this vulnerability is open to speculation, but if these hackers are indeed related to AntiSec, possible scenarios include exfiltering sensitive data, using the compromised servers as a direct denial of service (DDoS) launch base or defacing the websites they've infiltrated," Lovet added.


Sign up for Computerworld eNewsletters.