Results for mobile malware

Threat Research

Hack in the Box GSEC Wrap Up

Hack in The Box (HITB) GSEC is a security conference that was held from the 27th to the 31st of August 2018 in Singapore. This was its 4th iteration, and this year it was split into two different sub-tracks: “GSec” and “CommSec.”

By Minh TranSeptember 07, 2018

Threat Research

Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part III

In this final blog in the Rootnik series we will finish our analysis of this new variant. Let’s start by looking into the script shell rsh. Analysis of the script shell Through our investigation we are able to see how the script shell works: First, it writes the content of the file .ir into /system/etc/install-recovery.sh. The file install-recovery.sh is a startup script. When the android device is booted, the script can be executed. The following is the content of the file .ir. Next, it writes some files...

By Kai LuJuly 09, 2017

Threat Research

Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part II

In part I of this blog, I finished the analysis of the native layer of a newly discovered Rootnik malware variant, and got the decrypted real DEX file. Here in part II, we will continue our analysis. A look into the decrypted real DEX file The entry of the decrypted DEX file is the class demo.outerappshell.OuterShellApp. The definition of the class OuterShellApp is shown below. Figure 1. The class demo.outerappshell.OuterShellApp We will first analyze the function attachBaseContext(). The following is the function aBC() in the class...

By Kai LuJuly 09, 2017

Threat Research

BankBot, the Prequel

For us at FortiGuard, it always sounds like a bad idea for people to share malware source code, even if it is for academic or educational purposes. For example, on GitHub we can currently find more than 300 distinct repositories of ransomware, which gives you some idea about the attention that this form of malware receives. Although ransomware has the highest profile in the threat landscape at the moment, that does not mean that other threats have disappeared. Android is the most wide spread OS on mobile devices, covering around 80% of the...

Threat Research

How to repair a DEX file, in which some key methods are erased with NOPs

During the process of analyzing android malware, we usually meet some APK samples which hide or encrypt their main logic code.  Only at some point does the actual code exist in the memory, so we need to find the right time to extract it.  In this blog, I present a case study on how to repair a DEX file in which some key methods are erased with NOPs and decrypted dynamically when ready to be executed. Note: All the following analysis is based on android-4.4.2_r1(KOT49H). Let’s start our journey! First, I open the classes.dex...

By Kai LuApril 05, 2017

Threat Research

FortiGuard Labs - Global Healthcare Threat Telemetry for Q4 2016

This Global Healthcare Threat Telemetry report examines the threat landscape of the global healthcare industry in Q4 2016. It is based on threat telemetry obtained by FortiGuard Labs’ research group from sensors located at 454 healthcare companies located in 50 countries around the globe. FortiGuard Labs, and its more than 200 researchers and analysts located around the world, logs over 400,000 hours of threat research every year by monitoring and analyzing threat telemetry gathered from over two million sensors. The resulting threat intelligence...

By Gavin ChowFebruary 21, 2017

Threat Research

Risks - or not - Behind Pokémon Go

At FortiGuard, we wouldn't let you down without an analysis of Pokémon Go. Is it safe to install? Can you go and hunt for Pokémon, or stay by a pokestop longing for pokeballs? While this article won't assist you in game strategy, I'll give you my first impressions analyzing the game. Versions There are two sorts of Pokémon applications: 1. The official versions, issued by Niantic. We will talk more about these later, but in brief, they are not malicious. 2. The hacked versions. These are...

By Axelle ApvrilleAugust 10, 2016

Threat Research

Pokémon Go Plus Preview (Through Reverse Engineering)

While inspecting the Pokémon Go application, I incidentally found information on ... Pokémon Go Plus. Basically, this is the Pokémon IoT: a connected wristband with a button (to throw a pokéball, for instance), a RGB LED, and vibration capability (e.g to notify of nearby Pokémon). The device is not yet released, and the software is still under development: as you can see below, versions 0.29.x corresponds to "BETA4". Implementation in version...

By Axelle ApvrilleAugust 10, 2016

Threat Research

Android Spywaller: Firewall-Style Antivirus Blocking

Malware has been known to use new and innovative ways to evade detection by Antivirus software, a phenomenon AV analysts have often seen with PC malware. Not a lot of examples of the same have been seen employed by mobile malware. A recently discovered Android malware has brought to light one such Antivirus evasion technique with its use of "a legitimate firewall to thwart security software". The legitimate firewall referred to is iptables which is a well-known "administration tool for IPv4 packet filtering and NAT" on...

By Ruchna NigamJanuary 21, 2016

Industry Trends

I've Got 99 Problems and Quite a Few of Them Are Android

Until relatively recently, mobile malware wasn't that different from early PC malware - It was annoying, it probably invaded your privacy, and it took a toll on system resources but it wasn't especially dangerous or costly in the way that modern weaponized malware used to attack PCs, servers, and point-of-sale systems was. And just as early malware primarily targeted a single OS (Windows), mobile malware remains almost exclusively a problem for Android. However, it appears that Stagefright has served as something of a wakeup call for the...

By Chris DawsonAugust 12, 2015