Criminals embarked on a sophisticated scheme involving bribery to get malware whitelisted on a Chinese antivirus product, it has emerged.
According to Check Point Software, Qihoo 360 unintentionally whitelisted malware as part of a complex cyber-attack.
According to Feixiang He, a security researcher with Check Point Research Team, the attack was extensive with cyber-criminals bribing employees of a Chinese gaming company into including their malware among the legitimate apps it sent to Qihoo 360.
“These apps passed Qihoo's inspection and were whitelisted, allowing them and the contraband malware to run on machines protected by the widespread and free anti-virus solution offered by Qihoo for mobile and PC. Once this phase was complete, the attackers could initiate their true malicious activity,” said Feixiang He.
Criminals would then would disguise themselves as customers of the popular Chinese eBay clone Taobao.com. These criminals initiate the purchase by sending a picture of an item they want to buy back to the buyer using Aliwanwang, an instant messaging app. But the picture would be injected with a whitelisted Trojan using steganography techniques.
The seller would open the picture on a PC and become infected because the Trojan would not be detected by Qihoo anti-virus. The seller then validates the purchase and requests payment via Alipay, Aliwanwang's payment platform.
“The attacker would then request a refund from the seller, requiring the seller to log in to their Alipay account. The Trojan would then keylog their credentials, allowing the attacker to steal money from the seller's account”, said Feixiang He.
The security researcher said that many AVs use a whitelist approach to avoid false positive detection, “but the way these whitelists are generated and, like as we saw in the Qihoo 360 case, they can be compromised”.
“If malware can be installed on machines protected by Qihoo and can infiltrate into its own app store, this example illustrates how important it is to avoid third-party stores and to instead at least rely on stores with more reliable security,” he said.
Chris Boyd, malware intelligence analyst at Malwarebytes, told SCMagazineUK.com that the focus here should be on what checks and safety nets the gaming company has in place to ensure rogue code or files aren't shipped out to the general public.
“This could be difficult to stamp out if the company is made up of a handful of people and, when something like this can happen, it does raise the possibility that people will tolerate the occasional false positive if it means they don't get caught by something along these lines,” said Boyd.
“A layered approach to security means there's more chance of stopping something which gets past the initial point of entry, but the threat to businesses is likely to be low in this case, as there can't be too many running random Chinese gaming apps on the network. Having said that, any company may have people willing to take a short term gain from a criminal, which is why it is so essential to have a rigorous testing and vetting process in place.”
David Kennerley, senior manager for threat research at Webroot, told SC that the attack on Qihoo 360 shows how creative cyber-criminals are and the industry needs to be fully aware of such techniques.
“Each application whitelist request should be evaluated on its own merits, independently of previously certified offerings, company relationships or politics,” said Kennerley. “Application whitelisting doesn't always involve code analysis as we have seen previously in the PC world, with malware being whitelisted due to trusted code signing certificates becoming compromised.”
Cameron Brown, an independent cyber-defence adviser, told SC that It is hardly surprising that users who follow the recommended best practices and download apps directly from official app stores are finding themselves subject to compromise.
“As businesses increasingly integrate accessibility to enterprise services via mobile devices, miscreants will pivot to developing mobile malware to gain footholds on corporate networks,” he said.