Malware descriptions

Stealing to the sound of music

According to the old Chinese saying, the journey of a thousand miles begins with one step. And our path to revealing large-scale theft of VKontakte users’ personal data began with an email from a user asking us to take a look at a suspicious app.

At first glance, the VK Music app only displayed legitimate functionality – it played audio files uploaded to the social network. But further study showed that it also contained malicious code designed to steal VKontakte user accounts and promote certain groups on the social network.

VK Music was available for download at the official Google Play app store. By our estimates, the attackers could have used the app to steal hundreds of thousands accounts from users of the social network.

How this malicious program works

Immediately after running, VK Music asks users to enter their login and password for their VKontakte account so that the app can function on the site.

Stealing to the sound of music

After users enter their login details the app sends them to the legitimate authentication server oauth.vk.com. If authentication is successful, the user can listen to music uploaded to the social network. At the same time, a Trojan sends the verified login and password to a cybercriminal server in ordinary text.

Stealing to the sound of music

It should be noted that this method of transferring the logins and passwords could also result in them being used by other criminals, because the secure HTTPS protocol is not used.

The Trojan then contacts its server for a list of groups to be promoted by the attackers and immediately adds the stolen accounts to these groups.

In addition to promoting groups, the attackers can change passwords and use stolen accounts at their own discretion: we know of cases when victims of the Trojan lost access to their accounts on VKontakte after a period of time.

Mass infection

As mentioned above, VK Music could be downloaded from the official Google Play store. Such apps are very popular among Android users.

Stealing to the sound of music

The first version of the malicious VK Music app known to us was published on Google Play on 16 August 2015. Then the versions were modified every 6-10 days. Only the package name differed for all the versions – the functionality remained unchanged.

The latest version known to us was published on 4 October. It was at least the seventh version of the malicious application; the earlier six modifications were removed by Google. At the same time, according to data in the Trojan code, it was the 15th version of the application. We cannot confirm that all those versions were published on Google Play; we have only seen seven of them.

What makes the situation worse is the ease with which the fraudsters upload every new version of the Trojan in place of those that are blocked.

By the next day the version published on 4 October already had an average score of 4.5 with more than 600 user ratings.

Stealing to the sound of music

According to Google Play, the latest version was downloaded by between 100 000 and 500 000 users in just two days. Our data suggests that one of the earlier versions was 10 times as popular, meaning that version alone could have infected hundreds of thousands of devices.

Effects

For the user, the theft of his VKontakte authorization data will go unnoticed until the criminals decide to use the data and change the login/password or start sending spam from a stolen account.

We urge users to be careful and not to enter their login details in third-party apps. If you have installed VK Music or a similar app for listening to music on VKontakte, we strongly recommend you remove it and immediately change the login and password to your account on the network.

We reported the latest version of the malicious app to Google, and it has been removed. The groups promoted by the Trojan were blocked by the social network’s administration, whom we also informed.

All versions of the malicious application are detected by Kaspersky Lab products as Trojan-PSW.AndroidOS.MyVk.a.

Special thanks to Alexander Denkov for his help in detecting this malware.

Stealing to the sound of music

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox