More fake antivirus programs found in Google Play, Windows Phone Store

Last month Google offered refunds to users who bought a fake antivirus app from Google Play, but the scam seems to be catching on and security researchers have recently identified similar apps in both the Android and Windows Phone app stores. Malware analysts from Kaspersky Lab found a fake app called Kaspersky Mobile in the Windows Phone Store, which is unusual because cybercriminals tend to target Google Play and because Kaspersky doesn't even make an antivirus product for Windows Phone. The fake app, which was available for 149 rubles or around US$4, used Kaspersky's logo and other branding elements and even pretended to scan files when run, said Roman Unuchek, senior malware analyst at Kaspersky Lab in a blog post Thursday. Related Articles on Techworld Google Play analysis reveals security flaws in apps, say researchers | Antivirus software can't keep up with new malware, Lastline Labs analysis finds Kaspersky Lab was not the only brand abused by the people behind this scam. The same developer account had created fake apps using the names and logos of other popular programs, including Avira Antivirus, Mozilla Firefox, Google Chrome, Opera Mobile, Internet Explorer and Safari. One of the developer's fake Windows Phone apps used the same name as a fake antivirus app found in Google Play in April -- Virus Shield. Despite costing $3.99 and doing nothing to protect devices, the Android version of the app was downloaded over 10,000 times and made it into several "top paid" lists before being identified as a fraud. Google removed the application and offered refunds to affected users, as well as $5 in store credit. The researchers also identified a Kaspersky-branded fake app in Google Play using the name Kaspersky Anti-Virus 2014. The app's description was copied from the official Google Play page for Kaspersky Internet Security for Android, one of the company's legitimate products. The app's creators didn't even bother to add a scan simulation to the application, Unuchek said. "It is quite possible that more and more of these fake apps will start appearing," he said. "One thing is for sure -- the mechanisms put in place by the official stores are clearly unable to combat scams like this."

New online banking Trojan program combines Zeus and Carberp features

A new computer Trojan that targets users of 450 financial institutions from around the world appears to borrow functionality and features directly from the notorious Zeus and Carberp malware programs. The new threat, dubbed Zberp by security researchers from IBM subsidiary Trusteer, has a wide range of features. It can gather information about infected computers including their IP addresses and names; take screen shots and upload them to a remote server; steal FTP and POP3 credentials, SSL certificates and information inputted into Web forms; hijack browsing sessions and insert rogue content into opened websites, and initiate rogue remote desktop connections using the VNC and RDP protocols. The Trusteer researchers consider Zberp a variant of ZeusVM, a recent modification of the widely used Zeus Trojan program whose source code was leaked on underground forums in 2011. ZeusVM was discovered in February and stands out from other Zeus-based malware through its authors' use of steganography to hide configuration data inside images. The Zberp authors use the same technique, which is meant to evade detection by anti-malware programs, to send configuration updates embedded in an image that depicts the Apple logo. However, the new threat also uses hooking techniques to control the browser that seem to have been borrowed from Carberp, another Trojan program designed for online banking fraud whose source was leaked last year. "Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won't take cybercriminals too long to combine the Carberp source code with the Zeus code and create an evil monster," Trusteer researchers Martin Korman and Tal Darsan said last week in a blog post. "It was only a theory, but a few weeks ago we found samples of the 'Andromeda' botnet that were downloading the hybrid beast." Zberp also uses some other techniques borrowed from ZeusVM to achieve persistence and evade detection, the researchers said. The malware program deletes its start-up registry key when running and adds it back when it detects a system shutdown. "According to a Virus-Total scan, the Zberp Trojan was able to evade most anti-virus solutions when it was first detected," the Trusteer researchers said.

Avast pulls support forum after hackers pwn 400,000 user accounts

Anti-virus firm Avast Software has taken its user support forum offline after hackers broke into the system at the weekend and compromised around 400,000 of its registered users. In a post on the site, the firm said that the attack affected data such as “user nicknames, user names, email addresses and hashed (one-way encrypted) passwords,” and that users would be asked to reset their logins as soon as the site returned. “This issue only affects our community-support forum. Less than 0.2% of our 200 million users were affected. No payment, license, or financial systems or other data was compromised,” the notification said, downplaying the incident. Related Articles on Techworld Avast: Users frequently hitting websites loaded with ransomware | Avast antivirus support firm apologises for mis-selling | Avast suspends antivirus support company after mis-selling allegation Although the data accessed by the attackers is not of the same value as the sensitive information stolen during the recent eBay attack, any kind of hack is embarrassing for a firm that trades on its security competence. Avast is, after all, the number one antivirus client in the world according to most maket share reports, albeit than a large number use the free version. “We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure,” said Avast, which added that the compromised support forum had been hosted on a third-party site. “We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you. However, this is an isolated third-party system and your sensitive data remains secure.” Attacks of this kind are always jumped on as a reason for more sites to start using two-factor authentication. This is true but that sort of technology adds cost that probably couldn’t be justified for every site. A better option is simply to use a system that at least imposes some form of password discipline on its users. Avast doesn’t appear to have offered features such as minimum complexity for passwords which would make brute forcing of trivial passwords impossible. It's not the first embarrassment for Avast. In 2012, the firm had to ditch its Indian support firm that allegedly claimed PCs were suffering technical problems that required a paid service.