These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Security’ Category

Volume III: Who aM I? Confessions of an Obfuscated JS Worm

Friday, March 28th, 2014

This is volume III (…a lengthy one…) of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

Carrying on from where we left off earlier…

How Do I Do It?: Obfuscation and Encryption, Immediate-Invocation Techniques

This Java Script worm employs heavy obfuscation, encryption and immediate-invocation techniques to protect itself from prying eyes. This reduces readability by a large extent

Figure 1: Image Showing a Single Line of Script with Around 40K Characters

From the screenshot above it is evident that the script contains just one line of forty four thousand and odd characters

The script heavily uses some random strings for variable names, sized at 7-9 characters they seem to be uniform but are not. In the function expression, the four variable parameters are unique, their first three characters and the last two characters are the same with random characters filled in between.

Formatting the above script (as shown in Figure 1) using tools like Malzilla1, introduces some readability into the script. Note that the function expression is enclosed within parentheses and once the expression ends another set of parentheses encloses a large string (encrypted string in our case).  This form of invoking a function without explicitly calling it is widely called as ‘self-executing anonymous functions3’ or ‘Immediately-Invoked Function Expression2

Below is the first level of obfuscation in the script:

Figure 2: Obfuscated Script with Simple Formatting Applied

This worm deploys its script as a ‘self-executing anonymous function’ / ‘Immediately-Invoked Function Expression.’ To understand this better consider the below example:

Figure 3: Normal Function

The above shows a normal function expression and how it is invoked.

Now consider this:

Figure 4: Immediately-Invoked Function Expression

Here the expression and invocation happen simultaneously. The function expression here is immediately invoked by introducing the argument along with the expression as:

Figure 5: Expression and Argument

The expression is highlighted in red and the argument in green. The underlining factor here is that this function doesn’t need an implicit invocation to get initiated. The code as shown in Figure 2 has just a single function expression with four parameters. The actual arguments are however found within the last parentheses, the function decrypts these encrypted strings into another script as shown in Figure 6:

Figure 6: Second Level of Decryption

This first level of decrypted code is again an immediately invoked function. This would again get decrypted into another script and an array of strings.

Figure 7: Screenshot Showing Array Values Being Referenced

This second level of decrypted script refers to array of values from 0-380; these values are referenced from the array ref Figure 8.

Figure 8: Array of Strings Showing What Will be Referenced in the Script

Applying the appropriate array values in the script made it more readable. One can conclude that this was done to avoid readability.

Figure 9: Final Script with Array Values Replaced

The script in Figure 7 turns into the above shown script (Figure 9) once we substitute the array values in the script. As seen from the screenshot it is clear that the worm is trying to extract several classified user information from “Winmgmts” object.

Apart from the above, the script also uses a lot of size optimization techniques. For instance it uses exponent form to reference large numbers and “!0” for true and “!1” for false This can be seen in the code snippet shown in Figure 10.

Figure 10: Optimization Used in Code

How I Own You?:  Command and Control Module

For a script based malware, ProsLikeFan boasts of quite complex C&C functionalities. Once the script is deployed it can keep checking the C&C server regularly for any commands. Below is a screenshot containing the C&C commands found in the malicious script:

Figure 11: Command and Control Module

The commands include: “u”, “d”, “b”, “redu”, “fbl”, “fbc”, “hp”, “fbf”, “e”, “r” and “dns.”

The command “u” is to update the virus itself or update the C&C with any new changes in the victim’s computer. Command “d” can be used to download a file from a specified URL, while the command “r” can be used to run any executable in the victim’s computer. When used in conjunction these commands can download a file and run it in the victim’s computer. This could possibly download other malware from any location.

The next set of commands target the popular social networking site Facebook “fbl”, “fbf” and “fbc” that can be used to like a Facebook page, become a fan of a Facebook page and send out chat message on a Facebook chat respectively.

Apart from this there are commands to perform other activities like setting the Homepage of Internet Explorer, modifying the DNS settings of the victim’s computer, etc.

A botnet of such infected machines would provide a perfect framework that can be used by other perpetrators who wish to infect the victims with their own bunch of malware. The administrator of the ProsLikeFan botnet can provide it as a service to anyone who wishes to attack unsuspecting victims. Most cases of infection that were reported back to the lab had instances of other malware infections found in the victim’s machine.

This Is Me!: Conclusion

Though the worm’s activity may seem nothing out of ordinary, it is necessary to analyze why the worm achieves this using unconventional methods. Like using a JavaScript based worm to infect a victim and make him part of a botnet. This may be because non-PE format introduces a level of freedom when the attacker needs to modify a specific module in the script. It can be freely spammed out via email unlike executable which would get filtered out. Initial versions of this worm had just one level of encryption, and then it went on to being a multi-level obfuscated script. Text files unlike PE binaries do not have a fixed structure, making detection a bit more complex. Even then they are detectable.






4. “Fans Like Pro, Too” – Peter Ferrie, Virus Bulletin, Sep’13

Kaarthik RM & Raja Babu A

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Volume II: Who aM I? Confessions of an Obfuscated JS Worm

Friday, March 21st, 2014

This is volume II of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

Carrying on from where we left off earlier…

Who aM I?: What is ProsLikeFan?

While the typical autorun malware is usually a Microsoft Portable Executable(PE) file, ProsLikeFan however, is JavaScript based. Unlike PE malware, malware written in a scripting language have their limitations like exposing their malicious intent in plain text. To overcome this, the malware author needs to employ various encryption and obfuscation techniques.

ProsLikeFan uses the WMI (Windows Management Interface) query language to retrieve sensitive system information and posts this information to a remote host. It also exploits the autorun mechanism to propagate to other computers, brings down system security level by modifying certain registry entries, infects pen drives, sends out Facebook chat messages, ‘likes’ a Facebook page, downloads and runs an executable, changes IE homepage settings etc., all the while actively listening to any commands from its C&C server. It does all the above mentioned without giving away much about what it intends to do, to a large extent. This is achieved by keeping its code encrypted to multiple levels there by avoiding readability.

What I Can Do?: Overview of What the Worm Can Do

To begin with, this worm is VM aware i.e., it can detect if it is being run on a virtual environment like VMware, Bochs, and VirtualBox etc. It achieves this by retrieving the system information using the Windows Management Instrumentation interface and verifies the same against known virtualization systems. It looks for BIOS manufacturers, processor names, SCSI Controller’s manufacturer names, disk drive model, computer system manufacturer name etc. for matching.

The worm hides itself from the victim, by using standard registry modifications techniques that are widely employed by most malicious software. It disables notifications from the ‘Windows Security Center’, turns off the Windows firewall, blocks the usage of proxy servers, prevents access to the user’s homepage settings and disables system restore.

The worm then copies itself to a location under %appdata% and %program files% with a random filename of 5-6 characters.  It also places a copy of itself in the startup folder. Once executed, it can retrieve a trove of information from the user’s machine. It looks into specific locations for stored FTP passwords and user names. It then uploads the stolen data (Computer Name, Anti-Virus Software, Current User Name etc.) extracted through WMI and other means to a remote server. It keeps enumerating all running processes at regular intervals and tries to terminate any security software related process.

To spread across to other computers, the worm uses the autorun technique. It waits for a removable drive to be connected on the infected computer. Once connected, the worm creates a directory with a copy of the main JavaScript file in the removable device. It then proceeds to hide all folders and creates shortcuts to these folders with a folder icon. This shortcut would in turn execute the main ‘.js’ file before opening the corresponding folder.

Apart from removable devices, the worm also uses file-sharing networks to spread. It places a copy of the main script in a zip file in the shared folders of well-known P2P application like Ares, Bearshare etc.

…To Volume III

Images courtesy of:

Kaarthik RM & Raja Babu A

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Volume I: Who aM I? Confessions of an Obfuscated JS Worm

Friday, March 14th, 2014

This is volume I of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

To Brief it Out…

The Autorun Worm: an infection that uses an antiquated mechanism to make itself prevalent, especially in the Asian region. Even though the Autorun or Autoplay feature was deprecated by Microsoft quite some time ago, it is still actively exploited in the wild. For instance an autorun worm, widely known as ProsLikeFan, has been spreading like wildfire. Most interestingly, this isn’t your traditional Win32 PE binary, but a highly obfuscated JavaScript. This worm is certainly not the handiwork of a script-kiddy.

Beneath several layers of obfuscation lies a WMI malware which can retrieve users’ system information and post this information to a C&C server, and invites other malware to the host machine at the behest of the remote attacker.

This paper will discuss the reasons why autorun-related malware are very prevalent in the Asian region, the Indian sub-continent in particular. We will also focus on a technical dissection of the afore-mentioned JavaScript malware, cover its lifecycle its geographical prominence and will also include a brief take on its C&C network.

Autorun & Its Prevalence

An autorun worm uses the now deprecated feature: Autoplay, to initiate malicious executables from removable drives. This exploit’s target vector has a wider coverage, owing to the fact that removable drives or pen drives have become the most popular method for quick data transfer by physical media.

Autorun worms have had higher success ratio in the Asian region. A closer look at the infection ratio of worms in the Asian region would give us a better insight on the above mentioned fact. Figure 1 given below shows worm infections as a percentage of the total infections in the Asian region.

Figure 1: Worm Infection Rate

The world over average for worm infections is 17.5% as shown in the above graph. This is with respect to data from Microsoft’s Security Intelligence Report 1. It is evident from the graph above that in India almost 40% of the infections seem to be worm related.

Figure 1.1 displayed below provides the breakup of the Worm related malware.

Figure 1.1: Breakup of Worms Based on K7 Threat Control Lab’s internal Telemetry

From the chart above, it is clear that autorun malware dominates the infection ratio of the worm category. One must consider that families like Vobfus, Gamarue etc. also employ the autorun technique to improve their infection vector. Though most of the above mentioned worm families are all Win32PE types, it is interesting to note that there is an increase in the Non-PE category of worms. For instance ProsLikeFan, as it is commonly known, is a JavaScript malware that is on the rise.

Figure 1.2: Software Piracy Rates According to BSA Global 2

The reason autorun malware thrives in India (according to Figure 1.2) is due to the fact that software piracy is still at large, this rules out timely security updates. Also a very small percentage of the computer users in India are broadband internet users, this again widens the target. It is evident that only a very small percentage of computer users would have the update from Microsoft that deprecated the autorun mechanism for removable drives.

To Volume II…


Images courtesy of and

Kaarthik RM & Raja Babu A

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Cryptolocker – A New Wave of Ransomware

Wednesday, October 16th, 2013

The infamous ransomware malware works by restricting access to the computer or files that it infects. The malware on behalf of the malware author then demands a ransom to be paid by the victim, in order for the restriction to be removed.

At K7′s Threat Control Lab, we recently noticed a new wave of this ransomware malware. This notorious variant called CryptoLocker, by most security vendors, installs itself into the victims “Documents and Settings” folder. The malware then adds itself to the Windows auto start location in the registry to ensure that it loads automatically every time the user logs on.

Cryptolocker then makes an HTTP POST request to a pre-determined set of domain names to download a unique password file, using which it then encrypts the victim’s documents. The documents targetted include images, spreadsheets, presentations, text files among others.

Once encrypted, the ransomware then pops up a ransom page like the one displayed below:

The malware gives the victim a limited amount of time, to buy the password file to unlock the user’s data.

Protection for this threat is provided at multiple layers by K7′s Threat Control Lab. We proactively detect both the spam emails and malicious URLs, used to spread this ransomware, which seem to be the current infection vector. In case the malicious content does get through this layer of protection, we detect the malicious files themselves by our on-access-scanner as Trojan ( 0000c3521 ) and Trojan ( 0040f66a1 ). We have also provided detection for the this ransomware based on its run time malicious behaviour.

Our usual sentiments about keeping one’s security solutions & Windows patches up-to-date and being vary of downloading files from unknown sites apply.

Lokesh Kumar
Malware Collections Manager, K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Cyber Defence of the Realm

Saturday, March 9th, 2013

Our digital assets are not safe! India has been the victim of numerous cyber attacks at the national, state, corporate and individual-citizen levels, and the real and present danger has been acutely recognised by the central government. The Honourable Prime Minister, Shree Manmohan Singh, in a recent address to the Chiefs of Police, said:

“Our country’s vulnerability to cyber crime is escalating as our economy and critical infrastructure become increasingly reliant on interdependent computer networks and the Internet,”

“Large-scale computer attacks on our critical infrastructure and economy can have potentially devastating results.”

“The use of bulk SMSes and social media to aggravate the communal situation is a new challenge that the recent disturbances have thrown before us. We need to fully understand how these new media are used by miscreants,”

It is high time that we did something about these threats. We need to evaluate the nature of the threats, and devise robust defences against them such that the Constitutional mandates are upheld, and the Indian citizen’s rights are protected in virtual space as elsewhere. To this effect the National Cyber Safety & Security Standards initiative under the auspices of the Ministry of Communications and Information Technology, Government of India, has organised the NC4S – 2013 Summit to be held in Chennai next month.

We at K7Computing are extremely proud and privileged to contribute as the Cyber Defence Partner to this august symposium on national cyber security. We shall endeavour to fulfil our bounden duty of helping to safeguard the nation.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

K7 Carniv0re 0NE: Ad0be PDF Zer0-day Expl0it L0VE

Thursday, February 14th, 2013

2013, the Year of the Snake, seems to also be the year of the zero-day exploit.

Yesterday Adobe announced a vulnerability which is being actively exploited in the wild. This is the 4th zero-day discovered in recent weeks in different software from different vendors, and comes at a time when people may be more vulnerable to declarations of affection from unknown sources online. Today’s Valentine’s Day of course.

We received a sample of the malicious exploit PDF from Adobe via the Microsoft Active Protections Program framework in quick time which demonstrates the effectiveness of organised information-sharing in the security domain.

The great news is that the Carnivore technology in-built in K7 security products proactively blocked any attempt by this exploit to compromise the computer, safeguarding the receipt of many whispered e-sweet nothings.

Please note, however, that whether it is Valentine’s Day or any other day, it is highly advisable to ignore emails and chats from unknown sources be them R0me0 or Casan0va.

Image courtesy of

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Good App? Bad App? : Unearthing the Android Puzzle via Automation (Part 2)

Saturday, February 2nd, 2013

This is the second part of a two-part blog based on my paper for AVAR 2012 that discusses the complications in automating the analysis of Android malware.

Continuing from the first part of my paper…

Detection Criteria for Automation

Automation requires a set of robust detection criteria which make it possible to determine if an application is malware or legitimate.
Some of the criteria, the key factors that could be used for automation, are described below:

Static Analysis

Permissions. As per the Android architecture, applications, at install time, request users to grant permissions (known as “capabilities” in the context of Android) to access device data or other application data. The manifest file, one of the main components of the Android application package, carries the information about these access permissions. By verifying the permission list which the application is requesting with reference to its purported functionality, the application can be classified as either dangerous or clean.

Fig. 2 below shows the manifest file for the malware Android.Nickispy .This application claims to be a legitimate alarm receiver application but requests permission to process outgoing calls, send SMS, etc., that are irrelevant to its functionality, thus raising the suspicious flag.

Fig. 2, Capabilities Requested by Nickispy

Class names. It is seen in some of the malware applications that a specific malicious class appears with the same name bundled into many legitimate applications. It may be possible to flag applications based on blacklisted malicious class names.

Author name. All Android applications have to be signed. Author names of the applications could also help in casting suspicion on an application. This is possible as some of the malware applications carry the same author names, e.g. KingMall2010, we20090202 and myournet. Crawling many of the third party websites for known malware author names is likely to help the automation process.

Generic or heuristic rules based on judicious combinations of static criteria could assist the automation detection system to identify a new variant of known threat families within no time.

Behavioural Analysis

Sandbox emulation plays a major role in spotting a malware application amidst other running legitimate applications. Running an application within a controlled environment aids the automation system to understand the behaviour of the application in question, and make a consequent decision. Few of the behaviours that can be used to establish an application as malware are described below:

Internet Usage. Monitoring the network activity, i.e. measuring the frequency of network access, or the network traffic with respect to a particular service of an application, or any installed application in relation to its purported functionality would provide extra scope to categorise applications.

Root Access. Many Android malware require root access (administrative power) to execute the desired malefide functions on the victim’s device. They acquire root access by bundling with other good applications that require root access,  by triggering an application in the victim device that requires root access, or by invoking exploits such as Exploid and RageAgainstTheCage that they carry within themselves.

Root access enables a malware application to protect itself from being easily identifiable. Installing the dropped application in the system partition makes it difficult to be uninstalled by the user. Therefore applications that manage to acquire root access within a certain context could be highly indicative of malware.

Some legitimate applications may also exhibit runtime behaviour which would trigger the above criteria so the detection logic, perhaps based on a scoring system, needs to be formulated with some care.
Note, however, that malware writers may be able to evade detection by suppressing the malware behaviour of their packages by sensing the presence of emulators [5]. Even Google Bouncer, a behavioural detection system from Google, is no exception [6].

Difficulties in Automated Detection Posed by PUAs

A major challenge in automated detection of Android malware comes from Potentially Unwanted Applications. PUAs complicate matters since they may look and smell like malware, but may not, in fact, be malware. PUAs may include, but are not limited to, Adware, Toolbars, Monitoring and Hack Tools, and Tools used to create applications, etc. Such applications have proven to be a major headache in the PC malware domain. In 2012 PUAs contributed a decent number to the “malware” count. As per the research conducted, the numbers of these applications are expected to rise consistently. 

PUAs are often found bundled with other applications that require a EULA (End User Licence Agreement). By accepting the terms and conditions in this EULA, the user is indirectly authorising the installation of ad-supported or other applications bundled in the package. Hence, the user may find it difficult to consistently distinguish the applications installed in addition to the original application. There are similar issues for automated systems.

Marketing. Few applications may come bundled with known Android packages as a marketing strategy to display notification advertisements to promote a different application or the new version of the same application, in which the user may be interested.

These types of applications may not satisfy any of the previously-mentioned detection criteria to declare them as a malware. On the other hand these programs cannot be flagged as safe either, as they install themselves on the device without the user’s knowledge. Decision making on these applications is really challenging, as some users may consider these PUAs to be beneficial, the risks notwithstanding.

Ad-networks. Of late it has been seen that there are fake markets resembling to a close degree the Android official marketplace, that host malware applications alone for all mobile Operating System platforms like Android, Symbian, and J2ME. Alongside these, there are Ad-networks that also allow advertisers to either display advertisements for their application in the middle of the application session, or to drop an icon ad on the phone desktop, or to leave an advertisement in the notification bar of the user’s device.

For instance, is a website that claims to be the first PUSH notification mobile ad network for Android Smartphones. This website carries an application which when run asks the user for the IMEI (International Mobile Equipment Identity), MEID (Mobile Equipment Identifier) and ESN (Electronic Serial Number) of the device, even for the user to unsubscribe from any of the ads by AirPush. Automating the process of classifying such ad-networks, and deciding on related supporting applications which request personal information, is truly complex.

DoS attacks. Similar to the PC malware, DDos attacks are also witnessed for Android. With the help of a free online service which just requires a URL or HTML to create Android applications, new applications with the desired functionality can be created. For example, Android/DIYDoS [McAfee], grouped under PUAs, works with LOIC (Low Orbit Ion Cannon) in JavaScript format to send out a large number of network packets directly from the browser in order to perform a DDoS attack on a particular domain. When the user runs this application, the content of the URL is displayed in a browser, while the hidden JavaScript carries out a DDoS attack in the background [7]. As this application just directs the user to a particular URL, these kinds of applications or tools demand more attention in the automated detection process. 

Tools. Monitoring tools like keyloggers may log the activity on the device including SMS messages, call details, network traffic, etc., for which they have been designed. The questions lie in the installation method (if they get installed without the user’s knowledge), and if they leak the logged information.

There could also be a scenario when the application masquerades as a legitimate application that requires root access, and behind the scenes it acts as an agent for other malware applications, e.g. to provide them with root access. Analysing these kinds of applications automatically requires a lot of extra effort and care, as the maliciousness of one application can only be identified within the context of another application’s malware behaviour.

Mobile handset manufacturers build in a few applications which the manufacturing company believes to be of interest to the user. These applications may have the functionality to intercept user data. One such example, Android.HTClogger, collected significant amounts of user information and stored the data within itself.  Even though these applications do not conduct any malpractice, there is a possibility that other malware applications could use this data.

Another interesting application of this kind, Mobile Tracker, comes inbuilt with the Samsung Dive that allows the owner to have control over the device through SMS, in case of it being lost or stolen. This application awaits a trigger from a predefined number or website from which it may intercept any incoming messages.

Some of the major problems in the automated detection process for Android threats are discussed above. Unfortunately automation may classify a PUA as malware, or may fail to classify a threat as malware, or may fail to flag a PUA if the thresholds are not hit. However, automation is not meant to be a 100% solution.


It goes without saying that the IT security industry always strives to protect the user from any threat, be it for computers or mobile phones. Automated detection systems would help protect users by flagging new variants of old threats, or even brand new threats, in a timely fashion. The pitfalls in this automated detection process have already been highlighted.

Fortunately, some of the static criteria used in the automated detection system can also contribute to whitelisting an Android application. There is an ongoing industry-wide effort to collate and store whitelist metadata (that could include inter alia checksum, signer’s name, capabilities, etc.,) for Android applications in a centralized location. AV vendors would then be able to query this central database to decide if an application is safe or not. This could allow AV vendors to be more aggressive with their detection criteria without increasing the risk of false positives.

In addition, mobile AV vendors could come up with a common set of rules to establish whether an application is a PUA or not. Doing so could reduce the level of ambiguity when attempting to categorise PUAs versus malware, and thus may minimize the complications posed by Android PUAs in the automated detection process.


The Android platform is here to stay. Given its mass user appeal for a variety reasons Android usage has shot through the roof. This provides an irresistible opportunity for malware authors and others who are ethically weak to milk Android users for monetary gain. They have grabbed this opportunity with glee.

As was the case for PC malware over the years, Android malware have evolved in number and diversity of functionality. There has even been a proliferation of Potentially Unwanted Applications for Android. The increasing number and severity of Android badware necessitates a robust AV industry response. AV vendors are likely to implement automated detection infrastructure based on static and dynamic rules, proactive protection, and cloud lookups with the aim to protect the Android user at the earliest. One gets a sense of déjà vu vis-a-vis the experience with PC malware.

PUAs are applications which sometimes have functionality or behaviour which push the boundaries between malware and not-malware, infuriating some users and complicating the process of detection, whether automated or proactive. This is because categorisation of PUAs is a subjective process, and the misclassification of a PUA as malware does not always go down too well with either the user or the software’s author.

Industry-wide collaborations to collate useful metadata on known clean Android applications, along with an agreed, consistent set of criteria to define PUAs could help in separating the wheat from the chaff, especially in the case of an automated detection system. Unfortunately, as opinions always differ, unearthing an Android app may yet remain a puzzle.



[1]. Based on internal data 

Images courtesy of:

Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Good App? Bad App? : Unearthing the Android Puzzle via Automation (Part 1)

Wednesday, January 9th, 2013

This is the first part of a two-part blog based on my paper for AVAR 2012 that discusses the complications in automating the analysis of Android malware.

With increasing popularity comes the danger of threats. Android malware is growing at a massive rate in parallel with the rise in Android smartphone usage. Malware writers have been very successful in spreading Android malware by availing of the relatively weak registration and signing policy for third-party markets, and the official Android market as well.

The exponential rise of malware for the PC necessitated the incorporation of automated detection infrastructure, and one predicts the same requirements for Android malware. Via automation it is possible to make intelligent decisions on an Android application’s functionality to determine its status as good or bad, as performed by Google’s Bouncer, a behavioural decision-maker.

Unfortunately, recent studies show that, in similarity to the PC, Android adware applications can be found in the wild. These Android Potentially Unwanted Applications (aka PUAs), apart from being a nuisance to the smartphone user, would also complicate decision-making in the automated analysis of Android malware. There is little doubt that the number of Android PUAs will rise dramatically over time, and, like their PC counterparts, they will muddy the waters, introducing a lot of grey between the black and white. To decide if an application is a PUA or malware has never been so easy in the PC world since opinions can always differ.

This paper charts the rise of Android malware and Android PUAs. It describes the automated analysis of an Android application, focussing on the malware decision-making criteria, and discusses the difficulties in decision-making posed by Android PUAs.

Android Malware Growth 

There was an explosive increase in the number of Android malware till November 2011, and the numbers continue to grow. Malware authors have made good use of the third-party Android markets to spread far and wide, and have at times infiltrated even Google Play (formerly known as The Android Marketplace).

Fig. 1 below charts the rise in Android malware since November 2011 till the time of writing.

Fig. 1, Android Malware Growth [1]

Even though the chart above depicts a slight dip in-between, the mal-packages released in that period had no compromise on the severity of the data or monetary loss for the victim. There were major outbreaks as well that had a huge impact on Android mobile users. For example Android.MMarketPay places orders for items in China Mobile’s online market without the user’s knowledge, and is coded to manage the response from the online market, whether it be either SMS or Captcha. Another major outbreak, AndroidOS.Counterclank, that dropped a search icon to direct the user to a fake Google search page, had a big number of infection hits.

Focussing on improving the propagation methods, malware authors also started investing time in discovering new ways to spread their applications and to trick the user into installing their packages.

Studies show that most of the Android malware aim at monetary benefits and stealing the victim’s personal information. Interestingly, in recent times, there have been malware that avail of the route of targeted attacks [2], either a region or country, to achieve monetary benefits. For instance, the newly found, Android.SMSZombie, attacks Chinese users by exploiting a vulnerability in the mobile payment process of China Mobile [3]. The case of regional or targeted attacks implies that there could be several instances of malware world-wide which we do not even know about, therefore the real malware count could be somewhat higher than that shown in the Fig. 1 above.

In addition, the technique of polymorphism employed by the malware writers to create multiple variants of the same malware, contributes significantly to the rise in Android malware.

All these factors considered within the Android malware space, it is expected that the raw malware count would increase manifold in future.

Android Malware Growth by Trend 

As per Darwin’s “Survival of the Fittest”, even malware compete with one other in terms of the complexity of behaviour and detection-evasion techniques. Indeed, the behaviour of one malware family could interfere with that of another malware family. The lifecycle of any malware ends at the moment it is identified by security software. Bearing this in mind, malware authors engage new strategies to enter and compromise the user’s device.

Even though old-fashioned SMS Trojans still exist, Android malware can be seen to have evolved from the usual malware behaviour of sending out SMS messages. From several new malware behaviours the example of Android.Nickispy, found to record user conversations and send it to a remote C&C server, stands out.

Let us explore a few of the other notable behaviours of Android malware in the recent times:

Botnets. These malware applications will be controlled by a remote server through the issuance of commands. The latest malware of this kind, Android.Tigerbot, is controlled via SMS messages from a remote server. This mal-package checks if the SMS message is from the remote server even before the concerned service is aware of it. Thus the remote attacker is able to control the device.

Work as a Group. A single application drops two or more components from itself to accomplish the malware activity. A couple of examples are Trojan-Dropper.AndroidOS.Foncy.a and Android.OSSpy.

Fake Applications. As in the case of the Windows OS, Android malware too have been found to display fake scan results [4] with a link to websites that may host other malware applications or phish for the user’s personal information.

AV Killer. In recent times, there have been Android malware that search for the known existence of a running security software service and kill it to escape being detected. An instance of this is Android.UpdtKiller.

Image Modifiers. Some Android applications that are doing the rounds check for images in the SD card and modify them, exhausting the memory card with fewer but larger images.

Polymorphism.Android malware execute the concept of polymorphism by either modifying the data folder, changing the order of files, or adding files to the package that are in no way connected to the malware behaviour of the application. It is only a matter of time before the main binary malware components begin to incorporate junk content, including code within the execution chain.

Zitmo / Spitmo. This kind of malware, though seen earlier, is still highly dangerous, as they intrude on the online banking transactions of the user. By collecting the mTAN (mobile Transaction Authentication Number) that is being sent to the customer’s device from the bank, hackers can conduct money transactions on the victim’s account.

PUPs or PUAs. Also on patrol nowadays are applications with activities of dubious intent, e.g. displaying pop-ups, etc. These applications may be referred to as Potentially Unwanted Applications (PUAs) or Potentially Unwanted Programs (PUPs) given that certain users may not consider them to be undesirable. Decision making on this category of applications can be really complex and error-prone.

The evolution in the severity and malicious nature of Android malware bears a striking similarity with that of PC malware, but over a far shorter timeframe. It seems that one can predict the trends in Android malware by comparison with those of PC malware, including the proliferation of borderline PUAs and other “tools”. Thus it is possible to better prepare the security response to Android malware based on the lessons learned in the PC malware domain.


During the early stages of computer insecurity, most of the threats were intended to deteriorate the computer. Later, however, malware writers shifted their focus from crashing the computer to attaining financial gain. At this point there was an enormous increase in the count of Trojans and spyware in the threat landscape over a period of time, which demanded automated detection systems to protect the users in a timely fashion. Similarly, Android malware at the initial stages were primitively aimed at sending out premium rated SMS, but now they involve behaviours like stealing user’s personal information, redirecting messages from banks, drive by downloads, zombies, and so on.

Within a short span of time, Android malware behaviour have progressed quickly whereas computer malware took a considerable time period to evolve their functionality. Studies on Android mobile security reveal that the number and variety of Android threats is increasing year on year, and the same is expected to continue in future. Despite the user’s awareness about Android malware, the number of infections continues to increase unabated. This alarming situation drives the need to automate the detection of Android threats for quick response. There is also an emphasis on the need for proactive protection for Android malware. It ultimately becomes the responsibility of security software to protect the user by providing the right solutions at the right time.

                                                                                                                                               To be continued…

Images courtesy of:

Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

The 0racle May Foresee a Storm in a Coffee Cup

Monday, September 3rd, 2012

Let’s wake up and smell the coffee.

There have been several security write-ups about the recent 0-day java vulnerability CVE-2012-4681. Oracle itself only issued a bulletin recently, but the vulnerability has been right royally exploited in the wild by cyber criminals in Russia and China (well, no surprises there).

It has been a turbulent week or so, with the same exploit code first being used in a targeted attack, and later being commercially incorporated in bog standard exploit kits. Indeed, a fair amount of bad news.

Fortunately, Oracle has now provided the security update to patch the vulnerability. We recommend applying this ASAP if you are running java. Note, however, that K7′s Carnivore technology was already blocking attempts to exploit CVE-2012-4681, right from day zero. Further more, many of the known bad URLs were already blocked by K7′s SiteBlocker, generics playing a part. Finally, the exploit JARs and the associated binaries have been tackled in a proactive fashion. This means the K7 fortress around the user has kept things safe and secure.

Image courtesy of

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

From Domain Name Servers to Dead Name Servers

Saturday, July 7th, 2012

A few months back we had blogged about how the FBI had extended the deadline for turning off the rogue DNS servers it had taken control of. Lo and behold! that dead line has finally arrived.

Given the amount of grace period that was provided before putting these servers down, one would assume that the infected PCs would have been cleaned up by now. However, according to the DNS Changer Working Group, a worrying number of PCs still have their DNS entries pointing to the malicious servers.

Our customers need not worry though, for K7 products already have the functionality to diagnose these rogue DNS IP addresses, and replace them with known good ones.

Lokesh Kumar

Image Courtesy:

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: