Android malware not only posing as Word documents… but Excel as well

Saturday, October 31, 2015

China is a paradise for "SMS stealing malware" for Android. These programs steal your SMS inbox, notebook… The only "problem" for malware creators is to induce users to install the app. They usually use supposed pornographic content as a decoy. Zscaler just found some malware of this kind posing as a word document. We have updated their research with some new malware for android posing as Excel documents and some other interesting stuff.

Zscaler describes a more or less typical SMS infostealer Chinese malware. The improvement here is that they use a Word document icon for the Android malware. That would make the user believe that they are not installing anything, but trying to view a simple document. We searched and found some other malware (probably from the same attacker) posing as an Excel document, and got access to the email where the stolen info is sent to.

Some interesting stuff

The samples we have analyzed use an Excel icon. They are slightly different depending on the sample.

App that tries to look like an Excel document,
and another example of icon it may use
In this samples, the attacker uses an approach different from the one described by Zscaler that seems to be a little bit more advanced. Malware sends SMS history and contact list to the attackers' email, but in this case, the password for sending the email (and to check it, too) is not directly in the code, but in a configuration file.

Configuration file for the malware. Password and email included

We got to get into the mailbox of these mails and confirmed that, indeed, there were real SMS and contacts there. In an account, we found lots of supposed IMSI numbers and the whole SMS collection of the victim.

Stolen SMS from the victims

Zscaler found the "word document" malware was stealing the IMEI, while this one, as can be seen in the image, is identifying the victim by its supposed IMSI. In another account from other sample, we find the contacts list of the victim (name and number).

Some of the stolen contacts

The malware is able to "silent" the phone as well.

Setting the audio to silence

As usual, the attacker is a "regular" Google Play developer. He has been uploading apps to Google Play for months, and there are some of them online.

Some apps from the same developer

Thanks to Tacyt, we can get to know the developer, more than a single app. Most of the apps by this developer are removed, but they are not like this kind of malware described above. SMS stealers would not be able to bypass Google checks. Most of them are clickers, riskware in general or very aggressive adware. One of the few that are still alive is this:

One of the apps from the same developer still in Google Play.
It is not a SMS stealer, but aggresive adware.


We got to expand and improve the Zscaler research. Same old tricks as used in PC are more and more used in Android again and again, like this "icon decoy" system. It is importan to highlight that this malware has nothing to do with Microsoft, Office, Word or Excel in Android, they just use their icons as something attractive to confuse users.

Sergio de los Santos

Juan Manuel Tirado

New Financial Cyber Threats Report

Wednesday, October 21, 2015

New "Financial Cyber Threats (Q3 2015)" report
You can now download the full report about Financial Cyber Threats (Q3 2015) carried out by Kaspersky's Global Research & Analysis Team (GReAT) & ElevenPaths' Analyst Team. It`s available at ElevenPaths web.

This report analyzes the current trends related to financial phishing and banking malware, including attacks on mobile devices, POS (Point of Sales) systems and ATMs. It is mainly based on statistics and data from KSN (Kaspersky Security Network) although reliable information from other sources may also be referenced. The timeframe for this analysis contains data obtained during the period from July 1st, 2015 to October 1st, 2015.

A group of 14 countries are on the receiving end of the 90 % of all phishing attacks. The remaining 10 % is distributed among more than 170 different countries. Only the first three countries in this ranking account for half of the worldwide detected attacks.

The number of phishing attacks against Mexico is remarkable, taking over from United Kingdom the second position in the ranking of phishing attacks in comparison to the last period. New Zealand has been the country that suffered more phishing attacks per user over the course of Q3 2015.

During Q2 2015 United Arab Emirates was in the first place of countries with higher percentages of users attacked by phishing. This level has slowed down during this Q returning to its historical series. Phishing messages targeting the financial sector (banks, payment systems and online shops) accounted for more than 30% during this period, an increase of a 2.8 % compared with the data analyzed in Q2 2015. Banks are still the main targets within this sector as we observed during the last years.

Banking malware
For the first time since the start of the year the number of Dyre infections decresed (-2%) globally. The impact in UK and Spain of this malware has grown significally during this period, confirming the interest of the Dyre gang for both countries.

The number of infections of the Zeus Trojan and its variants keeps decreasing for the second period during this year.

When it comes to POS malware the number of infections for Cardthief, a 64 bits POS malware, shows an increase of activity during the end of Q3 2015.

Mobile malware
Once again Android is the most frequently targeted platform. 99.69% of the mobile malware detected target this operating system.

Russian Federation, Vietnam and Ukraine have almost the 90% of infections. Germany, Italy, France, Poland and Austria are the most infected European countries.

More info about our Security Trends Reports at
ElevenPaths' Analyst Team

About the relations between ngemobi/Xinynhe, Ghost Push, Kemoge and Odpa malicious Android adware

Tuesday, October 20, 2015

Over the last few weeks we have seen some blog entries about different new Android based mobile malicious adware families discovered or spotted by CM Security Research Lab, Checkpoint, FireEye and Trend Micro, that allows a complete takeover of an Android user’s device. These mobile malicious adware families have been named "NGE MOBI/Xinyinhe", "Brain Test", "Ghost Push" and "Kemoge", and are supposed to be developed by Chinese groups. We have tried to detect relationships between these different families. For example:
  • What’s going on with these "new" malicious adware families? How "new" are they?
  • Are these different malicious adware campaigns somehow connected?
  • Who has developed this adware campaigns?
In order to find the answer to these questions, the reported malicious adware families have been "squeezed" by Eleven Paths analyst researches using our in-house developed mobile cyber-intelligence Tacyt tool, to obtain more contextual information and the particular associated app "singularities" (technical or circumstantial app data that are "singular or unique" to a developer and/or application).

The above mentioned different adware campaigns have been analyzed and correlated on the basis of various application parameters, and the evidences obtained suggest us that:
  • The malicious adware family reported recently by FireEye (in September and October) seems to be related with the "Ghost Push" malware discovered by CM Security Research Lab and Trend Micro, as several clues regarding the links and associated certificate info included in the app point to the same developers, which in turn, seems to be related with the FireEye’s "Kemoge" called adware family as well.
  • The "Brain Test" malware app reported by CheckPoint contacted a server domain included also on the "Kemoge" adware family sample.
  • The aggressive adware discovered apps have had some versions in Google Play in early 2015, by a developer that produced aggressive adware as well.

Taking into account the several obtained "singularities" and hints, it seems that this adware or malware may all come from a single root, probably the known Odpa or Opda (it depends on the antivirus engine) creators (a known adware and infostealer) that may be the predecessor of these malicious adware families.

Brief research schema

Squeezing the Apps

Here we expose a few details of a much deeper analysis that you may find complete in a link below.

As shown in one of the FireEye reports the attackers have repackaged popular apps and inject ed malicious logic and ad components into the apps. The malicious adware iterates some domains and posts data once a connection is established. Searching with our Tacyt tool for the specific domains used by the malicious adware as indicated by the FireEye team, our analysts have found 12 different apps (some from the report itself, some from "Kemoge" samples). One of them, with "" package name, to be related to another (and supposed different) described mobile attack dubbed "MonkeyTest" by Cheetah Mobile on September 18th, 2015.

Searching for the app (from CM report), it reveals that this app uses a certificate singularity shared with one of the FireEye is reporting as downloaded by their samples. It shares the word "dashi" as well in the package name. There are even some specific strings in the code, which are shared between samples from all the reports.

It seems that some of the apps related with the developers were uploaded to Google Play back in late December or January. Searching with Tacyt for some specific binary files inside the apk, it brought us to some apps on Google Play which have been removed last January from the market.

Apps sharing very specific binary files

A curious thing is that most of them share this application permission, which is not very common (32 out of 4.5M apps): android.permission.ACCESS_MTK_MMHW.

Searching for certificates with those particular characteristics and for apps removed from Google Play the exact same day (which is supposed to be when Google discovered the fraud and cleaned the market), Tacyt obtained some evidence of related bands, like this particular UMENG ApiKey, as shown on the picture below:

Shared UMENG Api Key
This UMENG ApiKey has been shared with only a previous version of "Root Checker", removed from Google Play on 27th, December, 2014 and from "OPDA" developers that claim that their developer web is, which in turn, is related to a previous package name used in NGE (Xiny) attack. And there are even more connections between the word "Dashi" and OPDA developer. OPDA developers may be behind Odpa/Opda adware famlily, found in summer 2014.

On the other hand, CheckPoint reported that some of the domains found inside "Brain Test" malicious app seems to be present in "Kemoge" adware family as well:

Sharing specific domains


Tacyt’s powerful engine enables the analyst teams of the organizations to easily evaluate and correlate the application and its circumstances: when, who, what and where.

Using Tacyt our analyst team has been able to obtain further evidences that suggest a relationship between several reports, and confirm that some of aggressive apps discovered had a version in Google Play in early 2015. The evidences suggests that this supposed different families of malware, may be just the same Chinese band (because of the infrastructure, domains, topics, files, etc. they use) evolving the same idea about serving aggressive ads, rooting the devices, sending commands and installing new packages.

We assume this because of the several hints that join the families: domains, dates, permissions, names, certificates, resources, etc. They started their activities maybe in late 2014, using the OPDA "brand", trying to introduce malware in Google Play and legitimate apps as well. Later, they have evolved with new techniques, from "Xinyinhe adware", that seems to be just a variant of "Ghost Push" to "Brain Test" which seems some experiment before they got to "Kemoge". It seems that this Chinese gang is evolving techniques and creating more effective adware that are not able to spread via Google Play anymore, but third party stores. Anyhow, it seems that they use Google Play to serve "less aggressive" adware.


This whole report has been done without code analysis and with the minimum information provided by the blog post mentioned above. Taking into account more samples, relations between all the samples are even stronger. A further analysis of all the data collected (emails, links, strings, etc) from all the apks related, may guide us to a more accurate attribution.

Although hereby we briefly describe our research, the complete analysis process may be found here.

New "Insecurity in the Internet of Things" report

Tuesday, October 13, 2015

New Insecurity in the IoT report
You can now download the full report about Insecurity in the Internet of Things carried out by ElevenPaths' Analyst Team. It`s available at ElevenPaths web.

In the past six months potential insecurity within the Internet of Things (IoT) has been regularly making news headlines, from hacking planes, cars, or baby monitors, to Smart TV’s insidiously listening to and broadcasting unencrypted conversations across the internet. A September advisory issued by the FBI indicated that they too had concerns over inherent security flaws in the implementation of the IoT and warned over the potential opportunity offered to cyber criminals. While to many such a warning may seem premature given the current market penetration, the IoT is currently at a peak of expectation and anticipation, essential to driving the concept forward. In enterprise the IoT is seen as an integral part of the blueprint for developing from the digital business model of today to the digitisation of the entire value chain, and in the consumer space ‘wearable’ adoption is rising rapidly. However advances in edge computing, networks, big data and analytics are still required for this truly disruptive technology to shape the future; and although widespread implementation is likely to be 5-10 years away, not addressing security flaws now will only compound the problem for an IoT connected world.

Such scope ensures that IoT should not be thought of as just a ‘Thing’ in itself; it is a collection of technologies integrated and presented to provide specific and vastly diverse applications. However in terms of manufacturing, a rapid development lifecycle is producing devices that are ‘always-online’ and often possess inherent restrictions on security measures due to size and cost; research that has indicated that as many as 70% of commonly used IoT devices contain significant vulnerabilities. Although maintaining consumer trust, regulating the quantity and nature of data to be collected and transmitted, and also tackling end-user behavioural traits likewise provide complex challenges. At this nascent stage in the lifecycle, focus on securing it is often disproportionately weighted on the end device, forgetting that it is merely a component of a larger eco-system that is only as strong as its weakest link.

Methods to subvert these technologies will depend both on the manner in which they mature, and how security is implemented on often exposed devices. Worryingly, the early indications are that the network, application and cloud security lessons of the past 20 years have often been forgotten by existing technology vendors, and not yet learnt by manufacturers pushing into a new market. While risk exposure from IoT vectors is likely to remain low in the short term for most enterprises, but risk assessments may prove it is higher than first thought. The uptick in reflective DDoS attacks in H2 2014 and composition of the ‘Lizard Stresser’ botnet already points towards the effect of an insecure IoT being maliciously re-purposed. Unanticipated information leakage from the extended IoT ecosystem may also compound the problem of data aggregation from both consumer and enterprise sources, enabling cyber criminals to unite disparate data sets for a wide range of malicious goals.

The concept of security by design must be given a higher priority in order to avoid security flaws being compounded as the IoT matures, and adopters should be alert to IoT integration in a less mature, loosely regulated environment, or risk costs spiralling later. Core principles of data, application, network, systems and hardware security remain applicable but the complexity is higher and measures must be more careful not to work against the user. The IoT will be transformational, disruptive technological movement, but carries a spectrum of risks that affect more than just the IT department.

More info about our Security Trends Reports at
ElevenPaths' Analyst Team

Telefónica and ElevenPaths announce new market leading security offering following key sector agreements

Thursday, October 8, 2015

In the context of the Company’s III Security Innovation Day

Telefónica and ElevenPaths announce new market leading security offering following key sector agreements

Madrid, Thursday, 8 October 2015.- Telefónica and ElevenPaths present today the company’s new cybersecurity product lines at our third Security Innovation Day conference. The improved and expanded services are a result of Telefónica signing strategic alliances with major partners and key players in the security sector including Alien Vault, BlueCoat, Intel Security, Palo Alto Networks, RSA, and Vaultive.

Thanks to the input and technological capabilities of the new partners, ElevenPaths has improved and optimised its most powerful tools including Sinfonier, Latch, SandaS or Metashield Protector.

Alliances that reinforce ElevenPaths’ solutions

Thanks to the agreement between Telefónica and BlueCoat, filtering systems used to access Proxy SG Internet will incorporate Metashield Protector technology –ElevenPaths’ solution preventing information leaks in all document environments–, meaning all files are scanned before publication in web services. All access information generated by Proxy SG systems is accessible from Telefónica’s SandaS platform, allowing companies real time access to IT security information. Moreover, along with GIN –BlueCoat’s IP reputation service–, SandaS can run filters or blockers in http/https accesses from a single point.

With a continuously escalating threat landscape pushing cybersecurity further up the list of concerns for boardrooms and millennials alike, Palo Alto Networks is leading the charge in putting an end to successful data breaches. Within the category of cybersecurity services, Telefónica has teamed with Palo Alto Networks to develop a service that can discover mobile malware through integration with three industry-leading technologies: Palo Alto Networks next-generation security platform, which includes the WildFire – cloud-based malware analysis and prevention service-, Tacyt -the innovative cyberintelligence tool for mobile threats developed by ElevenPaths-, and Sinfonier, -the open system for real-time processing of information sources-. Through this integration, customers will be protected from malicious mobile applications on both the network and on mobile devices.

Telefónica has also partnered with RSA, and now this company’s solution, Security Analytics, will admit connection with SandaS, providing a holistic view of companies’ security and the external threats and vulnerabilities that may affect them as well as risk, governance and compliance.

For this purpose, Telefónica has partnered with Intel Security and now this company’s security event management and correlation system NITRO will be able to connect with SandaS and SandaS GRC.

SandaS can also be connected to Alien Vault’s USM platform to improve its analysis and risk control capabilities, thus increasing those capabilities already existing in the integration with earlier versions.

Telefónica, through ElevenPaths has joined Vaultive to integrate the encryption proxy service developed by the company. This protects the confidentiality of companies’ information in SaaS platforms, especially in Microsoft Office 365, with the Latch tool. This allows mobile device authorization and access to all Office 365 devices.

ElevenPaths has recently acquired GesConsultor, the technology solution specialising in management and compliance systems (Governance, Risk & Compliance, or GRC), which from now on is integrated as SandaS GRC within its product portfolio. The Telefónica subsidiary has also acquired the intellectual property of the “Handwritten Signature Capture and Verification Development System in Mobile Platforms” software, which is linked to research work with the Carlos III University of Madrid.

Telefónica is working to develop new services and security capabilities that help their clients’ businesses to be better protected against threats in the environments in which they operate. In the past year, the Company has undertaken a transformation process based on innovation through technology. br/>
As a result Telefónica España is the leading company in billing, managed devices and implemented projects. Spain's top companies, public bodies and law enforcement forces and agencies rely on them for their cyber security.

The event will be streamed live to all Telefónica offices and will be accessible over the web at:

More information on

» Download press release