Mobile Malware Xafecopy Robs Victims Through WAP Billing – Almost 40% of Targets in India
Kaspersky Lab experts have uncovered a mobile malware targeting the WAP billing payment method, stealing money through victims’ mobile accounts without their knowledge. The Xafecopy Trojan is disguised as useful apps like BatteryMaster, and operates normally while secretly decrypting and loading malicious code onto the device. Some of the names in the JavaScript files used by Xafecopy are also seen in the infamous Ztorg Trojan, suggesting possible code sharing between criminal gangs.
Once activated, the Xafecopy malware clicks on web pages with Wireless Application Protocol (WAP) billing - a form of mobile payment that charges costs directly to the user’s mobile phone bill so they don’t need to register a card or set up a user-name and password - and then silently subscribes the phone to a number of services. The malware uses JavaScript files that can bypass ‘captcha’ systems designed to protect users by confirming the action is being performed by a human.
“WAP billing can be particularly vulnerable to so-called clickjacking as it has a one-click feature that requires no user authorization. Our research suggests WAP billing attacks are on the rise. Xafecopy’s attacks targeted countries where this payment method is popular. The malware has also been detected with different modifications, such as the ability to text messages from a mobile device to Premium-rate phone numbers, and to delete incoming text messages to hide alerts from mobile network operators about stolen money,” explains Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.
Xafecopy hit more than 4,800 users in 47 countries within the space of a month, with 37.5% of the attacks detected and blocked by Kaspersky Lab products targeting India, followed by Russia, Turkey and Mexico.
“Android users need to be extremely cautious in how they download apps. It is best not to trust third-party apps, and whatever apps users do download should be scanned locally with the Verify Apps utility. But beyond that, Android users should be running a mobile security suite on their devices, such as Kaspersky Internet Security for Android devices'', added Sylvia Ng, General Manager SEA, Kaspersky Lab.
Kaspersky Lab detects all variations of the Trojan as:
Trojan-Clicker.AndroidOS.Xafekopy.a,Trojan-Clicker.AndroidOS.Xafekopy.b,Trojan-Clicker.AndroidOS.Xafekopy.c, Trojan-Clicker.AndroidOS.Xafekopy.d and Trojan-Clicker.AndroidOS.Xafekopy.e
To avoid falling prey to mobile malware, users are advised to:
· check that apps have been created by a reputable developer before installing, and use only reputable online stores
· keep their OS and application software up-to-date,
· refrain from downloading anything that looks suspicious or whose source cannot be verified, and
· install a reliable security solution, such as Kaspersky Internet Security for Android, on their device
Source: http://ift.tt/2xtJxdv
Kaspersky Lab experts have uncovered a mobile malware targeting the WAP billing payment method, stealing money through victims’ mobile accounts without their knowledge. The Xafecopy Trojan is disguised as useful apps like BatteryMaster, and operates normally while secretly decrypting and loading malicious code onto the device. Some of the names in the JavaScript files used by Xafecopy are also seen in the infamous Ztorg Trojan, suggesting possible code sharing between criminal gangs.
Once activated, the Xafecopy malware clicks on web pages with Wireless Application Protocol (WAP) billing - a form of mobile payment that charges costs directly to the user’s mobile phone bill so they don’t need to register a card or set up a user-name and password - and then silently subscribes the phone to a number of services. The malware uses JavaScript files that can bypass ‘captcha’ systems designed to protect users by confirming the action is being performed by a human.
“WAP billing can be particularly vulnerable to so-called clickjacking as it has a one-click feature that requires no user authorization. Our research suggests WAP billing attacks are on the rise. Xafecopy’s attacks targeted countries where this payment method is popular. The malware has also been detected with different modifications, such as the ability to text messages from a mobile device to Premium-rate phone numbers, and to delete incoming text messages to hide alerts from mobile network operators about stolen money,” explains Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.
Xafecopy hit more than 4,800 users in 47 countries within the space of a month, with 37.5% of the attacks detected and blocked by Kaspersky Lab products targeting India, followed by Russia, Turkey and Mexico.
“Android users need to be extremely cautious in how they download apps. It is best not to trust third-party apps, and whatever apps users do download should be scanned locally with the Verify Apps utility. But beyond that, Android users should be running a mobile security suite on their devices, such as Kaspersky Internet Security for Android devices'', added Sylvia Ng, General Manager SEA, Kaspersky Lab.
Kaspersky Lab detects all variations of the Trojan as:
Trojan-Clicker.AndroidOS.Xafekopy.a,Trojan-Clicker.AndroidOS.Xafekopy.b,Trojan-Clicker.AndroidOS.Xafekopy.c, Trojan-Clicker.AndroidOS.Xafekopy.d and Trojan-Clicker.AndroidOS.Xafekopy.e
To avoid falling prey to mobile malware, users are advised to:
· check that apps have been created by a reputable developer before installing, and use only reputable online stores
· keep their OS and application software up-to-date,
· refrain from downloading anything that looks suspicious or whose source cannot be verified, and
· install a reliable security solution, such as Kaspersky Internet Security for Android, on their device
Source: http://ift.tt/2xtJxdv
Aucun commentaire:
Enregistrer un commentaire