McAfee Hidden Device Admin Detector – Free Protection from Android Malware

A few weeks ago, we told you about Obad, a backdoor Trojan that targets the Android operating system (OS). What differentiates a Trojan from a traditional virus is that this type of software attempts to masquerade as something useful in order to trick users into opening the file and then leaves a backdoor open so attackers can access your data at any time. This Trojan affects all Android OS users, and it is strongly recommended that you address this flaw immediately!

What does Obad do? 

Essentially, Obad enables the downloading of malicious apps onto your Android device right under your nose – these apps have the dangerous ability to take advantage of your device’s administrator capability without your knowledge. The apps are created so that they don’t show up in your device’s admin screen, ultimately preventing you from uninstalling the app even if McAfee Mobile Security identifies the app as a malicious one.

New from McAfee – the McAfee Hidden Device Admin Detector, part of the McAfee Mobile Innovations app and now available on Google Play, protects your Android device from the Obad threat. Upon installation, use the app to scan your device for apps that have been granted device admin privileges, unbeknownst to you.

Obad FAQs:

Which devices are affected?
Any device running the Android OS carries the risk of being affected by Obad

How does it work?

1. It’s hidden.
Obad runs in the background of your mobile device so you may not know if you even have it or if you have unknowingly installed an infected app. It’s so well hidden that once Device Administrator privileges have been granted to the app, the malware, or malicious software, does not appear in the device administrator list, making it almost impossible to delete it.

2. It executes remote commands.
Devices infected with Obad can be controlled remotely by a Command and Control (C&C) server. Through a Command and Control (C&C) server, attackers are able to send commands and receive outputs from your device without ever alerting you. The attacker can send a variety of commands such as:

  • Making your mobile send unauthorized text messages (e.g. to premium rate numbers);
  • Downloading other malicious apps and installing them on your device;
  • Harvesting sensitive information (e.g. your contact list or capturing what you type on your device);
  • And acquiring the account balance.

How does McAfee Hidden Device Admin Detector work?
It scans and detects malicious apps that have been granted device administrator privileges and are hidden to prevent removal. The apps are then visible to you so that you may remove their device administrator privileges and then uninstall them from your Android device.

See screenshots below of McAfee Hidden Device Admin Detector in action:

2013-06-27 19.33.182013-06-27 19.33.28

Do I need to be a McAfee customer to be able to take advantage of this free app?
No. McAfee wants to ensure all Android users are safe, therefore, this app is available for free to all Android device users via Google Play.

Will the McAfee Hidden Device Admin Detector eventually be a part of McAfee Mobile Security?
Yes. We are planning to have it integrated as part of McAfee Mobile Security later this year, however, we wanted to make sure to have a solution that addresses Obad available as soon as possible for all Android users.

What is the cost of this app and how can I get it?
McAfee Hidden Device Admin Detector is available for free on Google Play, via the free McAfee Mobile Innovations App.

Don’t let your Obad take control of your phone and sensitive data – download McAfee Hidden Device Admin Detector today.

For future updates, be sure to follow us on Twitter at @McAfeeConsumer or on Facebook at

The post McAfee Hidden Device Admin Detector – Free Protection from Android Malware appeared first on McAfee Blogs.

Download with Caution! McAfee Identifies Risky Mobile App Sources

As more people use mobile devices in their daily lives, those devices are rendering them increasingly vulnerable to infection through the very apps we rely on to make our lives easier.

According to McAfee’s recent report, “Mobile Security: McAfee Consumer Trends Report – June 2013”, malware threats have not only increased for mobile devices, but have augmented in sophistication and determination, often infecting a device with multiple malicious actions.

Where email previously presented the highest risk for infecting a system through the misled click of a mysterious link, most viruses are now delivered via the downloading of mobile apps containing malware. According to the study, roughly 1 in 6 apps downloaded by users contained suspicious URLS and/or malware.

Other findings from the report include:

  • Almost 1/4 of the “risky apps” that contained malware also contained suspicious URLs;
  • 40% of malware families misbehave in more than one way, working on multiple fronts to gain and exploit protected information from devices;
  • 23% of mobile spyware joins a botnet or opens a backdoor, increasing the risk of data loss or device abuse;
  • Crooked app stores use “black hat” search engine optimization (SEO).

These apps may include both malware and suspicious URLs in combination to permit more complex attacks, although not all risky apps contain malware. All risky apps, however, can be delivery portals for cybercrime tools, harboring malicious code and hacker tools, as well as links to websites that criminals control.

The infections they bring to a mobile device can steal your personal information and perpetrate fraud under your own name, or abuse a device by making it part of a criminal bot network.

How do you spot and protect yourself from these “risky apps” and other attacks on your mobile lifeline? Few tips from McAfee:

• Avoid downloading from suspicious or unfamiliar websites, especially on mobile devices
• Check the rating of an app from the store from where you are downloading
• Read the user reviews for the app before downloading (this will quickly tell you if an app should be trusted or not)
• Use McAfee Social Protection software to scan each app download and identify risky apps

When in doubt, you can also check out the McAfee research database, which houses a massive collection of mobile apps—both innocent and risky.

For future updates, be sure to follow us on Twitter at @McAfeeConsumer and on Facebook at


The post Download with Caution! McAfee Identifies Risky Mobile App Sources appeared first on McAfee Blogs.

Mobile Malware Plays Hide and Seek

Android/Obad.A is mobile malware that has been described as very complex. Truly it is one of the most complex we’ve seen because it:

  • Uses Bluetooth to infect other Android devices
  • Accepts commands from the attacker
  • Hides from the Device Administration list

This is a good collection of malicious activities for a modern piece of malware. Is it unique, though? No, other mobile malware has propagated via Bluetooth, as early as SymbOS/Cabir. Earlier mobile botnets on Symbian, Windows Mobile, and even Android have also accepted commands from attackers’ control servers. That last item, though, disappearing from a standard listing makes Android/Obad a bit more insidious.

Hidden apps: unwelcome guests?
If you can’t find it, you can’t remove it. Nearly every other piece of Android malware that doesn’t have root access can be found and discovered. Android/Obad uses a vulnerability that keeps it off the standard Device Administration list. The vulnerability isn’t yet closed, so it’s very likely we’ll see other malware authors start to exploit it.

Peek-a-boo, I see you
Fortunately, we have added hidden-app detection capabilities to the latest edition of our McAfee Mobile Innovations app (MMI). The MMI app hosts a bunch of our other new beta features as well. Protecting private data (Data Vault), letting your devices warn you before you lose them (Smart Perimeter), and a tool to avoid dangerous QR codes (Safe QR Reader).

2013-06-21 10.49.00

 Select “Hidden Device Administrator Applications” from McAfee Mobile Innovations menu.

The Hidden Device Administrator Detector searches and finds all apps that have Device Admin access, even if they’re using the vulnerability to hide from the Android OS. Once you run it, it will give you a list of all hidden Device Admin apps and the option to deactivate or remove them.

2013-06-21 10.49.10

A list of all detected Administrator Apps.

Malware attempting to hide via vulnerabilities face a short life. As soon as software publishers fix the bugs in their software or antimalware apps add detection and removal, their time is up.

The post Mobile Malware Plays Hide and Seek appeared first on McAfee Blogs.

Malicious Dating, Ad Services Plague Japanese Users

In a previous blog McAfee Mobile Research reported on fraudulent adult dating-service applications on Google Play that target Japanese users. Many other suspicious applications are spreading on Google Play in Japan, and try to lure users to similar fraudulent sites.

These suspicious applications have appeared on Google Play since May. They offer adult or nonadult image viewers, article collection sites (known as a matome site in Japan), viewers for a well-known online BBS, information for popular games, silent cameras, and others, as well as the previously mentioned bogus dating services.



Suspicious apps include a BBS article-collection services and a silent camera app.



Suspicious information apps for a popular game.

Once a user installs one of these applications, its background service using server-to-device push notification mechanism (Google Cloud Messaging) is registered and started. Through this mechanism, the application developer can send any information to the device at any time, and the corresponding background service can run its code in response to the notification. This background processing can occur even when the application itself is not running.

The push notification mechanism is generally used by, for example, a major mobile advertisement network targeted at Android devices in its SDK, and by this any advertisement can be displayed on the devices’ system notification area. By incorporating this ad module, developers can get revenues once the ads are displayed or users buy the advertised services.

By investigating the message contents sent by push notification and displayed on the notification area, we can see that in some cases these suspicious applications are receiving and displaying links to the previously mentioned malicious dating-service sites. Other notifications display links to other applications’ download pages on Google Play, probably to gather affiliate revenues. Nonetheless, these applications are risky or even malicious because they try to send users to fraudulent websites.





Examples of ads via push notification sent from suspicious servers.

Push notifications of this sort are risky because a notification is sent without any prior explanation or an opportunity for users to reject the notifications at installation or the first launch of the application. Without these options, this type of notification can mislead users to unwanted or risky services.

We have found that Google Play has many applications containing this suspicious ad module and more of these apps are uploaded almost every day. We have confirmed about 350 of these applications in total, and more than 160 are still alive on Google Play. (Others have been deleted for some reason.) The total number of downloads of current apps is between 20,000 and 70,000, and would be much more than that if we include the deleted ones.



Examples of suspicious apps uploaded every day.

So far our investigation shows there is no publicly hosted service operating this advertising module. We believe that this module is not provided through any official ad network agency, but instead is privately operated by the application developers using their own server. Because of this arrangement, we consider this ad module a fake that imitates official modules provided by legitimate ad agencies.

A similar malware, Android/BadNews, targeted mainly at Russian speakers, also uses a fake ad network. This malware uses a module provided by a fake network and displays links to a malicious application that sends premium SMS without the user’s knowledge. In the case of Android/BadNews it appears the ad module was developed as a separate software module; in the case of the suspicious Japanese apps the module is embedded into the application.

Many apps containing this fake ad module are published on Google Play across multiple developer accounts. But we believe that all of them are created and published by a single developer or group of related developers, considering the similarities in their implementation code and the naming conventions used for the apps’ package names. Moreover, the developer(s) of these suspicious apps also publish many fraudulent adult dating-service apps. So we can conclude this developer operates with malicious intent, trying to capture users by embedding this risky ad module into many apps under various genres on Google Play.



Fraudulent dating-service apps published by the same developers.

McAfee Mobile Security detects these applications with the fake ad module as Android/BadPush.A.

The post Malicious Dating, Ad Services Plague Japanese Users appeared first on McAfee Blogs.

Fraudulent Adult Dating Services Turn 10 Years Old, Still Evolving

McAfee Mobile Research monitors adult one-click-fraud applications on Google Play that are targeted at Japanese users. Although the attackers appeared to have stopped uploading these apps in May, they have now resumed the attacks. We have confirmed about 600 malicious applications have been published since the beginning of April.

We have also confirmed that another type of well-known fraudulent application–bogus adult dating services–are increasing on Google Play. These fraudulent dating-service applications have been published before on Google Play, and now we’ve seen new apps appear every day since May. We’ve counted in total more than 400 fraudulent dating applications, and more than 130 are still on Google Play. The number of total downloads lies between 90,000 and 310,000. The figure would be higher if we counted already deleted apps.



Fraudulent adult dating-service applications in Japan.

Fraudulent dating services have existed in Japan for more than 10 years. They generally operate using decoys, called sakura in Japanese. These are the service operators themselves or paid agents who pretend to want to meet the victims. The sakura have no intention of meeting, but do want to make callers pay money to keep in touch. In most cases, the victims are lured to these malicious sites via spam mails, links on web pages, and search engines. Recently new media–such as social networking services and free messaging tools–also attract victims to these services.

Today, the attackers increasingly trick their potential victims using mobile applications, especially on Google Play. In most cases, these apps simply show fraudulent websites on its WebView component or run a browser to show the sites.



Initial screens of fraudulent dating service apps displayed on WebView.

We now know that a developer of a series of one-click-fraud applications also publishes fraudulent dating-service apps. It is not clear whether the developer is actually operating the dating services but they are related, for example, by receiving affiliate revenues from the service operator.



Fraudulent dating service apps published by a one-click-fraud apps developer.

It appears that other developers are publishing bogus dating applications. The apps vary in format: displaying fraudulent websites, providing fake advertisement links to websites, providing links a set of websites including malicious sites and legitimate dating services, imitating article threads from a well-known BBS and tricking readers into believing their story and registering for the malicious services, and so on.



Fraudulent dating-service apps published by another developer.




Links to fraudulent dating-service apps embedded in a BBS article-collection app.



Fraudulent dating-service app as a collection of links.

The landing pages of these malicious sites often imitate pages on Google Play–to make users believe the services are safe and endorsed by the official app store.



Landing pages of fraudulent apps imitating Google Play pages.

These applications do not automatically collect private information from the devices or send spam mails/SMS messages; they just lead users to their fraudulent sites. On those sites, users are requested to input their email address on their devices or in some cases their mobile phone numbers.

Once users register for the service, the decoy sends mail, which always has the same message. At first, users can exchange messages with the potential “partner” for free, but the free period suddenly expires just as the decoy promises to meet; the victims have to pay to keep in touch. Sometimes the decoy says she wants to give the victim a huge amount of money and requests a minimum charge to the service to proceed; of course such offers are always baloney!

Other characteristics are that users are automatically registered in one or more dating services at the same time, probably operated by the same fraudulent group. Once registered in these services, users will receive a massive amount of spam to trick them into paying money; in the worst case two or three mails are sent every minute, up to more than 1,000 mails per day.

Users can avoid these risks by not registering for the services or not communicating with the service operator even if they accidentally register. But even with this easy defense, some victims suffer again and again. Professional fraudsters catch the unguarded with their tricky tactics.

McAfee Mobile Security detects these fraudulent dating-service apps as Android/DeaiFraud and protects customers from this common Japanese fraud. We also block web access to such malicious sites by registering their URLs in our Web Reputation Database.

The post Fraudulent Adult Dating Services Turn 10 Years Old, Still Evolving appeared first on McAfee Blogs.