Symantec security officials say developers of Android.Opfake are using Twitter to lure users into clicking on their malware.
Symantec security researchers are seeing cyber-criminals
increasingly using Twitter as a way of luring mobile device users to their
In a March 12 post on Symantecs
, company employee Joji Hamada said that tweets are becoming a popular
way for cyber-criminals to bring people to the Android.Opfake malware.
Users can potentially end up infecting their mobile devices
with Android.Opfake by searching for tweets on subjects such as software,
mobile devices, pornography or even dieting topics, to name a few, Hamada
wrote. Android.Opfake is not hosted on the Android Market (Play Store) and these
tweets lead to malicious Websites developed for the Opfake application.
These tweets, Hamada said, usually have short URLs, and are
primarily written in Russian, with some English mixed in. In addition, once the
users get to the site, theyre prompted to install the malicious code. However,
while those are common aspects of most cyber-criminals using Twitter, their individual
tactics vary, making it difficult to determine which tweets are bad, short of
actually clicking on the link.
In the blog post, Hamada gives several examples of malicious
He also outlines other characteristics of malicious tweets,
though cautions that they can vary wildly. Some, Hamada said, can be more
easily spotted because similar tweets are being sent out constantly and have no
followers. That said, there are others that dont tweet as often and do have
followers. Some have content in the profiles, while others dont. Some have
strange account names, but other account names are pretty common.
Again, Hamada in the blog post shows some of the more easily
recognizable bad accounts.
Symantec is finding that there are malware operations that are
running continuously, with some being executed at the same time. Hamada pointed
to a recent operation that ran for eight hours and included more than 130,000
tweets from about 100 accounts before it stopped. Another that occurred at the
same time sent out more than 1,500 tweets from more than 50 accounts in about
There were other minor operations taking place as well, he
said in the blog post. However, I was unable to confirm the number involved.
Hamada commended Twitter for being responsive to findings of
malicious tweets from Symantec, which reports to Twitter when it sees
particular patterns in malicious tweeting. Symantec suggests to Twitter
officials that they shut down such accounts. Twitter also offers a place where
users can report if they suspect an account is nothing more than spam
Hamada said those cyber-criminals running malicious tweeting
operations are now following a similar cat-and-mouse game that occurs with
traditional malware. That is, security vendors update detections for malware,
and the malware developers then update their malware.
Cyber-criminals mix their game around, thereby making it
difficult to recognize all bad tweets and most of all: they are persistent, he
He noted that Twitters Help Center also offers tip
on keeping a Twitter account secure
Smartphones have allowed users to access the Internet
anytime, anywhere and perform tasks that were only possible using computers,
Hamada wrote. While the convenience provides so many great advantages, cyber-criminals
are also taking this opportunity to accomplish their bad deeds. So be wary when
using mobile devices. For tweets in particular, be selective when deciding
which links in the tweets to click on. You may want to only trust tweets you
are familiar with. Tweets are similar to email. You wouldnt open an email from
an unknown sender and then click on the included link, would you? This usually
means bad news and the same goes for tweets.
Hamada has been following the Android.Opfake malware. In a March
2 blog post
, he noted that while the developers of the malware have
targeted Android- and Symbian-based smartphones, they also are looking to
target users of Apples iPhone.
We have come across a couple of Opfake Websites that, while
hosting malicious apps that Symantec detects as Android.Opfake, are also
designed to perform social engineering attacks on iPhone users, Hamada wrote.
The iPhone is designed to prevent the installation of applications outside of
the Apple App Store. This makes life difficult for bad guys attempting to fool
users into installing malicious apps in a similar manner to Android and Symbian
devices. To get around this, the Opfake gang has developed a social engineering
trick that does not require apps to scam site visitors.