More Japanese Chat Apps on Google Play Steal Phone Numbers

In two recent blogs, McAfee Labs described Japanese and Korean Android apps on Google Play that steal a mobile device’s phone number. We have now found two more Japanese chat apps that show similar behavior. These two apps have been downloaded between 10,000 and 50,000 times each. The developers of these apps have manipulated the ratings of their apps on Google Play in a prohibited, unfair way and also operate several suspicious sites offering adult-dating services.

 

chatleaker-b-1

chatleaker-b-1b
Figure 1: Two Japanese chat apps steal a device’s phone number.

 

The apps, Chatline and Connect Line, give users the impression that the apps are related to Line, a popular messaging app in Japan, though they actually have no relationship at all.

The apps retrieve a device’s phone number, International Mobile Equipment Identity (IMEI), and Subscriber Identity Module (SIM) serial numbers, and send them to a remote web server. This occurs when users launch the apps and before they create user profiles for the chat service. Moreover, if a user creates a profile for the service, information such as nickname, gender, city of residence, birthday, and self-introduction provided on the application screen are sent with the other numbers. A user is not required to input real information, if a user adds more detailed personal or attribute data–such as hobby and preferences while chatting–this information might be stored on the developer’s site, associated with the phone number. This can be a big privacy risk.

 

chatleaker-b-2
Figure 2: The application screens of the two suspicious chat apps.

 

chatleaker-b-3
Figure 3: An example of sensitive data sent from the apps to the developer’s web server.

 

The apps request READ_PHONE_STATE and other permissions at installation, but do not tell users that they will retrieve the device’s phone number and other information and send that to the developer’s server. There’s no hint in the description of the apps, their screens, the terms and conditions, or the privacy policies. These apps know how to keep a secret.

On Google Play these apps are getting very high scores in user reviews, but these unnaturally high scores seem to come from cheating. In these apps, users need to pay a service fee to chat. Users receive a small amount of free credit to start using the service, and this credit is soon exhausted. Then users are prompted to buy new credits via Google Wallet to continue chatting. At this point, the service makes attractive offer to give more free credits if users will give a high review score (4 or 5) to the app on Google Play. App-ratings manipulation by offering incentives to users is strictly prohibited by Google Play Developer Program Policies. It is clear that the apps violate this policy, which tells us the developers are already breaking the rules.

 

chatleaker-b-4a

 

chatleaker-b-4b
Figure 4: Chatline offers incentives to users for manipulating its ratings on Google Play.

 

The implementation code of these two apps is almost the same, which implies they were built and published by the same developer or by related parties. Our investigation into the developers–based on the company information found on the apps–reveals they operate several suspicious adult-dating sites. We have not confirmed that the collected phone numbers and other information are being used for fraudulent or other malicious purposes. But users of these apps should be aware that their private information is being sent to such companies in the adult-dating business.

 

chatleaker-b-4
Figure 5: Adult-dating services operated by the developers of these apps.

 

Users of Android devices should always be careful about potential information leaks caused by apps. They should check permission requests by an app at its installation, the application’s description page on Google Play, the privacy policy, and terms and conditions. If such an information leak is possible, users should always check if the developer of an app is really trustworthy. We strongly recommend against installing very new chat/communication/SNS-related apps published by unknown developers.

McAfee Mobile Security detects these apps as Android/ChatLeaker.B.

The post More Japanese Chat Apps on Google Play Steal Phone Numbers appeared first on McAfee Blogs.

Black Friday Shopping Scams go Mobile

It’s almost midnight. The streets are dark and hundreds of early morning shoppers are gathered outside of malls across the country, ready to brave the impending insanity for the sake of amazing holiday deals. In the U.S., Black Friday and Cyber Monday shopping madness is right around the corner, and many consumers will soon “be consumed” with seeking out the best deals when buying holiday gifts. With mobile device use already on the rise, many consumers will rely on their smartphones and tablets to reduce holiday anxiety. However, as we prepare to find the best deals and perfect presents, we open ourselves up to cybercriminals waiting to steal valuable information from our most convenient gadgets.

There are more holiday-themed scams each year, but many are now focusing on mobile users and the considerable revenue that mCommerce will be generating. To highlight these risks and put a damper on cyber Scrooges, McAfee recently launched its annual 12 Scams of the Holidays list, which aims to educate users about the most common seasonal scams that criminals use to steal credit card and other sensitive information.

While cybercriminals target users year-round, we are especially vulnerable to scams during the holidays. Malware can easily slip in among the massive flow of holiday deals floating around this time of year. With more of us storing financial and other sensitive data on our mobile devices, the risks can be even higher for those of us looking to shave some time off our holiday shopping by utilizing the convenience of a smartphone or tablet. A whopping 51% of U.S. adults bank online and 32% use mobile banking regularly, meaning lots of critical information is stored on devices at any given time. Once criminals have a way in, be it through a QR code, risky app, phony website or fake coupon, they can not only get to stored financial information but take over your entire device—including your camera and microphone.

Staying safe when the Black Friday buying frenzy ensues is dependent upon you being aware. Below are some common holiday mobile risks to look out for along with tips for protecting your data and your identity during this shopping season.

Not-So-Merry Mobile Apps

Mobile apps have made staying connected seamless, whether you’re checking to see if your favorite sports team is winning or organizing your daily calendar. But before you download that app to help with the planning of your holiday shopping, be wary of potentially dangerous software. Don’t be fooled by official looking descriptions and a five-star rating—malicious apps may have an appearance of legitimacy, but can be designed to steal and even worse, send out valuable information.

For example, the Android.FakeInstaller mobile malware passes itself off as the installer for a legitimate app, and then sends text messages to premium rate numbers, without your consent. This can eventually rack up your phone bill by hundreds of dollars, and you won’t know until the bill arrives.

What should you do? Thoroughly research the latest and greatest mobile apps before downloading, especially free ones released around the holidays. To ensure validity, look out for comments or reviews by third parties, and when in doubt, don’t download. Always download from trusted online sources, such as the Apple App Store and Google Play.

Holiday Mobile Message Scams – SMiShing and Phishing

SMiShing, also known as phishing via text message, is a common way scammers try to trick users into revealing passwords or clicking on malicious links. Clever criminals will send out genuine-looking text messages, often masquerading as a valid organization, asking users to confirm their identity for account security purposes.

Aside from nasty text messages, malicious emails can do the same amount of damage to a mobile device as they can on a computer. Be wary of messages from unknown senders and check for inconsistencies like misspellings or strange characters or symbols.

What should you do? Always be suspicious of messages from unknown senders or even ones that appear to be from your bank. A legitimate organization will never ask for account details, so if it does, delete the message immediately. The same goes for checking emails via your mobile device—never click on links if you don’t recognize the sender and never share personal information.

Seasonal Travel Scams

Aside from buying gifts, the holidays are synonymous with traveling. Many people will be spending time with friends and family away from home, but the same security threats follow wherever you go. Scammers will try to snare you with seasonal travel deals that end up with you downloading malware.

People are especially vulnerable to scams when out of their element, and public Wi-Fi is a prime example. Not having the comfort and security of your home network is an inevitable part of holiday commuting, but think twice before logging on or checking your account balances via public connections. Cybercriminals troll public Wi-Fi connections looking for unprotected devices to hack and grab usernames, passwords, and even banking information.

What should you do? As always before clicking on that link promising amazing savings to plan your holiday travels—be wary of any deal that looks too good to be true, and exercise caution before clicking through. When traveling, or even when out shopping near home, don’t connect to Wi-Fi unless the connection is secure and trustworthy. Wait to check sensitive things like bank accounts and email until you can use a password-protected connection.

Malicious Mobile Games

Dangerous apps are an issue any time of the year, but with many people preparing to travel for the holidays, they are looking to be entertained. A three-hour layover is infinitely better with the help of a fun mobile game, but not all of these apps are nice. Scammers make fake versions of popular games to trick unsuspecting users into downloading them instead of the real ones. These faux-games can look nearly identical to their legitimate counterparts, with slight variations such as spelling errors or color schemes.

What should you do? Beware when downloading games on your mobile device, research the app before downloading, and again, only download or buy games from reputable app stores.

Bogus Deals and Malicious QR codes

While there is no shortage of amazing savings during Black Friday and Cyber Monday, as I’ve stated before—anything that seems too good to be true, probably is. And one area where this rings especially true is with QR codes. They may seem like fun little squares of surprises, but QR codes can also be used to spread malware, and clever criminals will often house them in legitimate looking advertisements to throw off suspicion.

What should you do? Always check the source and validity of an offer before clicking through. Call the retailers listed on the deal, or check their website before opening an email or scanning a QR code that promises to whisk you away to savings.

Just as the Grinch stole Christmas, cybercriminals can easily steal information from our mobile devices and ruin the holidays. Using the above tactics will definitely help you stay one step ahead of cyber Scrooges. Additionally, here are some general mobile security tips to keep in mind year-round:

  • Limit third-party app access. Always be careful about what permissions each app is allotted on your mobile device, be it to your photos, microphone or location information.
  • Only download apps from official sources. Third-party app stores and websites are known for fostering risky apps and malware. Stick to downloading from trusted online sources, such as the Apple App Store and Google Play.
  • Update your mobile software. Make sure you are using the latest versions of your mobile operating system, browser, and security software.
  • Search with caution. Protect your device and your data when searching for holiday gifts by using a safe search plugin such as McAfee® SiteAdvisor® that comes with McAfee® Mobile Security.
  • Use comprehensive mobile security software. McAfee Mobile Security for both your Android smartphone and tablet comes with many features to help protect your mobile devices from a variety of threats. And until December 13, 2013, it’s available for a discounted price. US residents only.

Learn about the latest mobile security updates and threats, by following our team on Twitter at @McAfeeConsumer or Like us on Facebook.
12Scams_Infographic_800X930_Holidays_fnl

lianne-caetano

The post Black Friday Shopping Scams go Mobile appeared first on McAfee Blogs.

Hectic Holidays Heavenly for Hackers

Ahhh, it’s that time of the year again: the hustle and bustle of the holiday season—parties, gift giving, travels and get togethers with friends and family. But it also brings up the question of how and when are you going to have time to shop and get everything done in time?—let alone fight those crowds at the mall for that elusive parking space.

With online shopping, not only can you shop any time of day (or night if you’re like me and a night owl), from the comfort of your couch or recliner and can easily compare prices without walking up and down the mall or driving all over town. You can even get things online that you simply just can’t buy locally. But while online shopping provides you with a high level of convenience, it also provides cybercriminals with opportunities to steal your money and information through various online scams.

That’s why as Black Friday and Cyber Monday (which has become one of the biggest online shopping days of the year) approaches, you need to make sure you’re being smart when shopping online. Besides making yourself familiar with the 12 Scams of the Holidays, here’s some tips to stay safe online:

  • Be wary of deals. Like Mom said, “if it’s too good to be true, it probably is”. Any offer you see online that has an unbelievable price shouldn’t be believable. I saw a 25-foot camper on Craigslist for 10% of the list price, and it was within 10 miles of me. My endorphins rushed and I was filled with excitement—I wanted it! Then I found out it needed to be shipped from Chicago (I live in Boston) and I calmed down. But I can see how when a person’s endorphins peak, hasty decisions can ensue.

MFE_12Scams2013_TipGraphics_OneTime

 

  • Use credit cards and not debit cards. If the site turns out to be fraudulent, your credit card company will usually reimburse you for the purchase; and in the case of credit card fraud, the law should protect you. Some credit card companies even offer extended warranties on purchases. With debit cards, it can be more difficult to get your money back and you don’t want your account to be drained while you’re sorting things out with your bank.Even better is a one-time-use credit card, which includes a randomly generated number that can only be used for a single transaction. While this may be an extra step in your shopping process, it can go a long way to protecting yourself online and it’s a good way to #HackYourLife.

MFE_12Scams2013_TipGraphics_url

 

  • Beware of fake websites. When searching for a product online, you are likely to end up clicking on something within the first few pages of your search results. Cybercriminals often setup up fakes sites that look real at URLs that are common misspellings or typos of well-known shopping sites (also known as typosquatting).Instead of typing in the URL of your favorite site, make sure you have a safe search plug-in installed on your browser, like McAfee® SiteAdvisor®, and search for that site. SiteAdvisor will then give you color-coded safety ratings in your browser search results and give you a warning before going to sites that are known to be malicious.

 

MFE_12Scams2013_TipGraphics_Privacy

 

  • Review the company’s privacy policy. Look to see how the merchant uses your personal information and check to make sure that it will not be shared with third parties. You should only disclose facts necessary to complete your purchase and not any additional information about yourself.
  • Never click on spam links to make purchases. Your email inbox and now text messages are full of scammy messages from hackers designed to lure you into clicking links and parting with your credit card information.
  • Know the shipping policies. Look into shipping and handling fees and make sure they seem reasonable to you. You want to make sure that you understand all your shipping options and how they will affect your total cost.
  • Look for HTTPS: Check to see if the site uses encryption—or scrambling—when transmitting information over the Internet by looking for a lock symbol on the page and checking to make sure that the web address starts with https:// instead of http://.
  • Only use secure devices and connections: Public computers at an Internet cafe or library are risky because you don’t have control over who used the device before you and you don’t know if there is malicious software on them that can steal your information. Also make sure that you don’t shop online if you’re using an unsecured wireless connection like those in a coffee shop or airport. A hacker could intercept data you are sending over that connection whether you’re on your computer or mobile.
  • Protect all your devices. When shopping online, make sure you have up-to-date security software on all your devices, like McAfee LiveSafe™ service, that can safeguard your privacy and data, protect against identity theft, and defend against viruses and online threats.

 

Make sure to keep the cheer in your holidays and practice safe online shopping all year round.

And don’t forget to share these tips and McAfee’s 12 scams of the holidays. McAfee is having a Season of Sharing sweepstakes.* To enter, go to 12scams.com and share the #12scams of the holidays content to help protect your friends and family. The more you share the more chances you have to win a Dell™ XPS™ 12 convertible Ultrabook™ or a Dell Venue™ 8 Pro Tablet with McAfee LiveSafe™.

 

*No purchase necessary. Valid only in the US from Nov 18 – Dec 13.

 

RobertSiciliano

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

The post Hectic Holidays Heavenly for Hackers appeared first on McAfee Blogs.

Mobile Monday: Protecting Your Privacy in a Not-So Private World

In today’s digital and data-driven world, privacy has become harder to come by and people are sharing more personal information than ever before. McAfee and One Poll conducted a study and found that 55% of people have shared their mobile or tablet PIN with others. But for us at McAfee, privacy is not dead and it’s something we strive to protect at the consumer and enterprise levels every day.

Given what a big issue it’s become, we wanted to hear what the industry’s most experienced experts had to say about this so McAfee sponsored Mobile Monday’s most recent Silicon Valley event and I moderated the panel titled, “Protecting Your Privacy in a Not-So Private World: The Mobile Security Debate.”

Our panelists included a variety of experts who brought some insightful, unique and sometimes controversial ideas to the stage. After brief introductions, we kicked off the panel and covered everything from invasive app permissions to consumer education to who’s responsible for protecting the privacy of consumers. Below are some quick highlights on the insights, issues and opinions that were raised during the discussion:

  • Magnolia Mansourkia Mobley, General Counsel/Chief Privacy Officer at Carrier IQ: The vast majority of apps are collecting far more information than they need. Our phones are screaming at us that apps are a privacy violation and we’re saying “yes, please give me more.”
  • Sameer Bhalotra, COO of Impermium, Former Sr. Dir. for Cybersecurity at the White House: Too many people do not use multi-factor authentication and it’s very clear that it’s a superior way to go. Passwords are not good enough to secure your identity. We need to find a way to do more as companies, governments and consumers to implement multi-factor authentication.
  • Jarad Carleton, Principal Consultant, ICT, Frost & Sullivan: I know some companies here in Silicon Valley that make technology for holistic encryption and their executives don’t use it. So there’s a problem at both the executive and consumer level.
  • Kashmir Hill, Senior Online Editor at Forbes Magazine: When we look at what privacy advocates are doing, their big emphasis is on getting companies to make different decisionsbecause that is more helpful than trying to educate people about what they should do. 

For those that weren’t able to make the panel, fear not! I leave you with some bite-sized takeaways from each panelist – see their best advice below—and you can watch the entire discussion on Ustream here:

  • Mobley’s advice for kids: never give an actual name, age, email or birth date to apps.
  • Hill’s easy ways to enable security: clear your cookies and set passcode on your smartphone.
  • Bhalotra’s security tip: be careful what you do online when using unsecured Wi-Fi.
  • Carleton’s advice for parents: teach your kids to have a digital firewall between your online and real life persona—online is forever.

Remember to stay safe online and think about what you post or share online—it’s like writing in permanent pen. To help you protect your smartphones and tablet, McAfee is offering 80% off McAfee Mobile Security (Until December 13th, 2013) for both your Android smartphone and tablet that will not only protect you from threats, but help protect your privacy.

And last but not least, my advice for kids: every child should STOP. THINK. CONNECT. before they go online and learn the Internet “rules of the road.”

 

Michelle

 

The post Mobile Monday: Protecting Your Privacy in a Not-So Private World appeared first on McAfee Blogs.

Japanese Chat App for Android Steals Phone Numbers

Update, December 5

The developer of the app Machin Chat has contacted McAfee and reported that the collection of phone numbers was inadvertent and that they have no malicious intent. We have verified that updated code no longer collects phone numbers. The updated app is available on Google Play. (Older versions of the app have not been fixed.) McAfee has removed detection of the new app because it no longer poses a security risk.

 

There have been many reports today of Android malware that steals users’ sensitive information and threatens the privacy of smartphone users. McAfee has recently found suspicious chat applications for Japanese users on Google Play. These apps are capable of retrieving a user’s phone number and secretly sending it to the developer’s web server. This information-leaking code is implemented using JavaScript.

 

chatleaker-1
Figure 1: Two suspicious chat applications found on Google Play Japan.

 

chatleaker-2
Figure 2: The app’s description page emphasizes “Registration Not Required.”

 

Despite the developer’s claim that registration is “not required” on Google Play’s description page, the phone number of the device is sent to a remote web server managed by the developer once the user tries to connect to the chat service, and with no notice. The retrieved phone number is actually encrypted before sending, but it is apparent that the developer can decrypt the data later on the server.

We do not know whether the developer will use these phone numbers for malicious purposes, but gathering such sensitive information without a user’s knowledge is a big problem. We can also assume the developer is deceiving or at least misleading users. Finally, the chat service does not appear to work, at least in our research. Fortunately, we count fewer than several hundred downloads of these two applications.

 

chatleaker-3
Figure 3: When users tap the button on this chat screen, their phone numbers are secretly sent to the developer.

 

Unlike most Android malware, this suspicious code is implemented in HTML/JavaScript, hosted on the server, that interfaces with a custom JavaScript interface using WebView to call Android APIs. In the Java code, the application defines a custom JavaScript method getNo(), which calls the TelephonyManager.getLine1Number() method of the Android API and returns the encrypted phone number. The app then exports the method in the “android” object to be used from the JavaScript code. The code in the HTML hosted on the server calls the android.getNo() method to get the data and send it to the same server via XMLHttpRequest (or HTTP POST via form, as used in another variant) when the user takes a certain action on the page such as tapping a button.

 

chatleaker-4Figure 4: Java code for the custom JavaScript object to access the device’s phone number.

 

chatleaker-5
Figure 5: This JavaScript code accesses the phone number using the custom object and sends it to server.

 

The JavaScript code is implemented so that it can work even outside the Android application, for example, when the chat site is visited via web browsers. In this case, an unimportant string generated from the current date is used instead of the phone number, which means the service can work even without using phone numbers. From this, we can also see the developer’s malicious intent of trying to steal private information whenever it is accessed from the Android app.

There are some well-known HTML/JavaScript-based development frameworks, such as Apache Cordova (a.k.a. PhoneGap), which allow developers to write application logic in HTML/JavaScript and also access Android APIs internally using the same mechanism described above. In most of these cases, the HTML/JavaScript code is packaged in the application package file (APK), together with the development framework library, where it is easy to analyze potentially risky or malicious code.

On the other hand, this suspicious application’s code is hosted on the server, not in the APK, making static analysis more difficult than usual, especially due to the dynamic nature of its server HTML/JavaScript code. What is worse, the custom JavaScript object can be abused by other malicious sites as well to steal sensitive information once the users navigate using WebView from the original application to such sites.

With HTML/JavaScript gaining popularity as an application development language especially for mobile devices, along with their being expected as the main application vehicle in new Web-oriented mobile platforms like Tizen and Firefox, we predict an increase in this type of mobile threat in near future.

McAfee Mobile Security detects these suspicious applications as Android/ChatLeaker.A.

The post Japanese Chat App for Android Steals Phone Numbers appeared first on McAfee Blogs.