What is the threat report?

Every quarter AVG’s Threat Labs publish their findings after monitoring the threat landscape for three months. These findings are put together in the Community Powered Quarterly Threat Report which examines incidences such as emerging threats, malware trends and mobile threats.

The report is based on the Community Protection Network traffic and data, which is then collected and analyzed by AVG Threat Labs. The Community Protection Network is an opt-in network of users who choose to share information on the threats they encounter. The Community Protection Network embodies what we believe about strength in numbers at AVG, as we say: “We Protect Us”

What are the major findings?

While the full Threat Report is too long to reproduce in detail, the highlights from the Q2 2012 are:

• Sex and Fear: Two vulnerabilities exploited by cybercriminals
• Arrival of the Android Bootkit and emerging Android threats
• The China Connection

Sex and fear: Two human traits cybercriminals are exploiting for cash:

Rogueware is a form of Internet fraud using computer malware that deceives or misleads users into paying for fake services. This can include the simulated removal of malware or the promise of access to x-rated files. Instead of doing these things, it introduces malware to the computer.

In the last quarter, AVG security labs detected more than 3 million incidents related to rogue software; so by now many Internet users have seen, heard, or read about social engineering and fake antivirus sites that distribute rogue antivirus software. They are naturally, therefore, more cautious about what they download and install from the web.

In response to this new found caution, Rogueware creators are looking for new ways to manipulate an educated, wary user.

During April 2012, AVG Threat Labs detected a mass SQL injection campaign which injects iframes onto legitimate sites, which lead to fake antivirus application and fake Flash update sites. Even though the users wouldn’t have fallen for the social engineering tactics, the malware will be installed on their machine without their consent. Thus, simply visiting a fake antivirus site will infect visitors. Closing the browser offers no protection since the exploit has already run and any vulnerable system becomes infected (what is known as a drive-by download)

Emerging Android Threats:

This quarter has seen an explosion in malware explicitly designed and written for the Android platform, targeting smartphones and tablets.

As mentioned in the Q1 2012 Threat Report, the number of users on Android devices continues to rise and we are seeing Android specific malware continues to rise along with it.

This quarter saw the emergence of a new type of Android threat, the first Android Bootkit. A Bootkit is an infected malware application which requires root access to the device such as “ROM Manager Premium”. The Bootkit represents an interesting evolution in the Android threat landscape.

The malware writer infects the legitimate application which then spreads on third party app stores around the world (not on the official Google Play shop). A user will then download the app and unwittingly allow it root access, effectively surrendering the phone to any number of malicious purposes.

The recently discovered “Angry Birds Space” rogue app works in a similar fashion.

The attackers embed malicious code granting root privileges of the device to the immensely popular game “Angry Birds Space”. Social engineering techniques were also used in this case to convince the user that the “malicious game” is the original game. To reduce suspicion even further, the attackers provided a full functional game. The end user who downloads the Trojan will not be aware of its background malicious activities while playing. Cyber criminals are then able to gain root privileges of Android devices and add them to the botnet and begin to turn profit for the malware writer.

AVG recommends taking the following steps to ensure that you do not fall foul to malicious Android apps.

• Prior to installing any application, do background check on the developer and the application, especially true when downloading it from Android markets which are not the official Google Play.
• When installing new apps to your Android device, always look at the permissions application requests to approve and make sure the list seems appropriate.
• Only download apps from application stores, sites and developers whom you trust, and always check the application star rating, developer information and user reviews to make sure you know what you are downloading.
•  Set your Android device to download apps from Google Play only.
• Keep your device protected by installing anti-virus application as AVG Mobilation.

The China Connection:

One notable trend in the last three months was the amount of malware originating from China. Email scams and malicious Android applications uploaded to third party application markets were just two of the threats identified. These targeted China and in some cases, neighboring countries including Japan, South Korea, Taiwan and the US.

In the past few weeks, we have collected more than 25 unique malicious Microsoft Office attachments that were distributed to thousands of users via spammed e-mail messages. The email message text usually contains some recent political hot news or specific Asian territory story or incident.

But of all these outbreaks, one was much more widespread than the rest: CVE-2012-0158. This vulnerability can be triggered by opening specially crafted document file in one of the affected Microsoft products. Once the document is opened in the host application it crashes and the malware payload is executed, downloading a Trojan that then collects sensitive user information such as username and passwords for various websites services and applications and sends this data to attacker’s server.

However, when Microsoft patched this vulnerability it alerted many malware writers to its existence. Attackers know that the patching processes (by end users and network administrator) take some time and the “window of opportunity” is quite wide. Patching the systems should be done automatically, however; it is not the case in the real world.

On top of this, cybercriminals are aware that many users are using pirated versions of software. The total worldwide software piracy rate for PC software is 42%, which means that hundreds of millions people are not even able to even patch their systems since they are using pirated software versions.

Read the full report in detail here to find out more about all of these stories and more…

Did you know that 42% of the world’s spam is sent from within the United States?

Or that Blackhole Exploit Kits make up over half of detected malware in Q2 2012?

For more information on the Threat Report, get in touch with us here on the blogs, on Facebook or Twitter.