Spam campaign roundup: The Fathers Day Edition (June 13, 2014)

/in /by

This Sunday is Father’s Day. It is that time of the year that we celebrate one of the most important persons in our lives. And as consumers are scrambling for last minute gift ideas and deals, cybercriminals are also increasing their efforts to divert advertising dollars into their hands.

Over the last week, the Dell SonicWALL threats research team has been tracking down all Father’s Day related spam emails.

As Father’s Day weekend approaches, we are receiving an increasing amount of this holiday related spam emails. These emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to heavily discounted products or a chance to win gift cards and coupons. The following are some of the common email subjects:

  • Print your coupon and Shop Amazon on US! Happy Father’s Day
  • Save 81% on These 15 Premium Cigars + Humidor for Father’s Day!
  • Shop for a luxury watch for Dad this Father’s Day.
  • Robertcohen, Here’s a voucher for Lowe’s. Use for Father’s Day.
  • Buy Dad Something Nice from Walmart- Father’s Day Coupon Enclosed

Most of these emails are purporting to come from popular department stores promising gift cards or coupons, that when clicked would take you to a URL different from the real merchant’s website. The consumer will then be asked to enter their personal information and to participate in a number of “offers” often costing money in fees or subscriptions without the guarantee of ever receiving the products and services or the free gift card at the end of the process.

Email redirecting to tassetrio.com

The domain names used in the URLs embedded in the spam emails are just created in the past week and are all registered using a domain privacy service to keep the domain name owner’s personal information from showing up on global Whois lookups.

domains such as bankamericardapplyusa.com, yourrecordsarepublicnow.com

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWALL Gateway Antivirus and Email Security service constantly monitor and provide protection against such malicious spam and phishing threats.

First TOR-based file encrypting Android Ransomware (June 10, 2014)

/in /by

Dell SonicWALL Threats Research team reported last month about a new Android malware that locks up mobile devices until the victims pay a ransom to unlock the phone, called AndroidLocker. Recently, we came across a newer variant of the Android Ransomware called SimpleLocker that uses the same scareware tactics of pornography distribution but also adds two new features: A) It encrypts all the user files including documents, images, and videos stored on the mobile’s SD card. B) It uses TOR network for its Command and Control communication. This is the first ever Android malware family that performs file encryption as well as uses TOR for its communication.

We have already shared our analysis on the AndroidLocker ransomware which just locks the screen without encrypting the files.

Infection Cycle

Before installation the app requests for the following permissions:

  • internet (full internet access)
  • access_network_state (access information about networks)
  • read_phone_state
  • receive_boot_complete
  • wake_lock
  • write_external_storage [Used for file encryption]
  • read_external_storage [Used for file encryption]

Upon installation the app appears in the app drawer as sex xonix

Once the user opens the app the following message covers the screen:

This ransom message is in Russian and can be roughly translated to:

Subsequently if the user goes to the home screen and opens any other app he is greeted with the same ransom message thereby crippling the normal phone usage.

The malware encrypts the user files such as images, videos, and documents stored on the SD card:

Files stored on the SD card before and after encryption:

The Command and Control server is hosted on a TOR .onion domain for the purpose of protection and anonymity.

It steals the device information and contacts its Command & Control server for further commands, possibly decrypting the files after ransom is paid.

It is possible to decrypt the files which are encrypted by the malware using the cipher key embedded in the malware code. We may see other Cryptolocker-like variants for Android which might be impossible to crack. Users should be extremely cautious while downloading apps from unfamiliar sites and only install apps from trusted sources.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: AndroidOS.Simplocker.A (Trojan)

Microsoft Security Bulletin Coverage (June 10, 2014)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of June, 2014. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS14-030 Vulnerability in Remote Desktop Could Allow Tampering (2969259)

  • CVE-2014-0296 RDP MAC Vulnerability
    There are no known exploits in the wild.

MS14-031 Vulnerability in Remote Desktop Could Allow Tampering (2969259)

  • CVE-2014-1811 TCP Denial of Service Vulnerability
    There are no known exploits in the wild.

MS14-032 Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258)

  • CVE-2014-1823 Lync Server Content Sanitization Vulnerability
    IPS: 3943 “Microsoft Lync Server Information Disclosure Vulnerability (MS14-032)”

MS14-033 Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061)

  • CVE-2014-1816 MSXML Entity URI Vulnerability
    There are no known exploits in the wild.

MS14-034 Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)

  • CVE-2014-2778 Embedded Font Vulnerability
    There are no known exploits in the wild.

MS14-035 Cumulative Security Update for Internet Explorer (2969262)

  • CVE-2014-0282 Internet Explorer Memory Corruption Vulnerability
    IPS: 3936 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 8”
  • CVE-2014-1762 Internet Explorer Memory Corruption Vulnerability
    IPS: 3938 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 7”
  • CVE-2014-1764 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1766 Internet Explorer Memory Corruption Vulnerability
    IPS: 3939 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 6”
  • CVE-2014-1769 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1770 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1771 TLS Server Certificate Renegotiation Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1772 Internet Explorer Memory Corruption Vulnerability
    IPS: 3941 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 5”
  • CVE-2014-1773 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1774 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1775 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1777 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1778 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1779 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1780 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1781 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1782 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1783 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1784 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1785 Internet Explorer Memory Corruption Vulnerability
    IPS: 3929 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 1”
  • CVE-2014-1786 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1788 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1789 Internet Explorer Memory Corruption Vulnerability
    IPS: 3930 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 2”
  • CVE-2014-1790 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1791 Internet Explorer Memory Corruption Vulnerability
    IPS: 3933 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 3”
  • CVE-2014-1792 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1794 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1795 Internet Explorer Memory Corruption Vulnerability
    IPS: 3934 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 4”
  • CVE-2014-1796 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1797 Internet Explorer Memory Corruption Vulnerability
    IPS: 6308 “HTTP Client Shellcode Exploit 46”
  • CVE-2014-1799 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1800 Internet Explorer Memory Corruption Vulnerability
    IPS: 3944 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 9”
  • CVE-2014-1802 Internet Explorer Memory Corruption Vulnerability
    IPS: 3955 “Internet Explorer Memory Corruption Vulnerability (MS14- 035) 10”
  • CVE-2014-1803 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1804 Internet Explorer Memory Corruption Vulnerability
    IPS: 7454 “HTTP Client Shellcode Exploit 35a”
  • CVE-2014-1805 Internet Explorer Memory Corruption Vulnerability
    IPS: 3480 “DOM Object Use-After-Free Attack 10a”
  • CVE-2014-2753 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2754 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2755 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2756 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2757 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2758 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2759 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2760 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2761 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2763 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2764 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2765 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2766 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2767 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2768 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2769 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2770 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2771 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2772 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2773 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2775 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2776 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2777 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS14-036 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)

  • CVE-2014-1817 Unicode Scripts Processor Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1818 GDI+ Image Parsing Vulnerability
    There are no known exploits in the wild.

Soraya Infostealer bot with Point-Of-Sale support (June 5, 2014)

/in /by

The Dell Sonicwall Threats Research team observed reports of a new Infostealer bot family named Soraya actively spreading in the wild. This is the first instance of an Infostealer bot family that features popular Banking Trojan Zeus like FormGrabbing functionality as well as Point-of-Sale Trojan Dexter like memory scrapping functionality. This makes the bot equipped to target both, the user systems and the Point-Of-Sale terminals, stealing sensitive user credentials and credit card information. We have already spotted some drive-by-download URLs actively serving this bot in the wild.

Infection Cycle:

The Trojan checks for the presence of the following file on the infected system:

    c:myapp.exe

The Trojan adds the following file to the filesystem:

  • %APPDATA%servhost.exe [Detected as GAV: Soraya.A_2 (Trojan)]

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun WinServHost “%APPDATA%servhost.exe”

It then injects malicious code into multiple system processes and executes it using CreateRemoteThread. One of the injected malicious thread is responsible for handling the Command and Control communication with a predetermined remote server. It decrypts the embedded command and control related information in the memory, creates a Mutex, and registers the bot with the remote server.

The malware also installs following user-mode hooks on the infected system:

These hooks will ensure that:

  • Any newly spawned processes from Explorer.exe also gets injected with the malicious code
  • The malware executable stays hidden from the user
  • Network activity is intercepted

This thread is responsible for the FormGrabbing functionality by injecting itself into any newly launched browser processes and installing browser-specific hooks for some of the popular browsers like Chrome, Internet Explorer, and FireFox.

One of the injected malicious code thread is responsible for scraping the memory of active non-system processes on the infected machine for credit card information periodically. The stolen information is then relayed back to the Command & Control server.

Command and Control communication

During our analysis we saw following communication between the infected machine and the C2 server:

Registering the infected machine [mode=1]

Checking the C2 server for pending commands [mode=2]

Reporting job completion status to C2 server [mode=3]

FormGrab module stolen data sent to C2 server [mode=4]

Memory scraping module stolen data sent to C2 server [mode=5]

Other C2 commands supported by Soraya bot that we saw during our analysis include:

  • vweb
  • vstealth
  • down
  • update

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Soraya.A (Trojan)
  • GAV: Soraya.A_2 (Trojan)
  • GAV: Soraya.A_3 (Trojan)
  • IPS:3920 Soraya C&C Traffic 1

OpenSSL SSL/TLS MITM vulnerability (June 6, 2014)

/in /by

Since the OpenSSL Heartbleed vulnerability (CVE-2014-0160) was released on April 7th, everyone talked about how to prevent similar bugs, and the existing code has been scrutinized more often. On June 5th, OpenSSL released a security advisory covering six vulnerabilities. Among them, SSL/TLS MITM vulnerability (CVE-2014-0224) is rated as the most important one.

This MITM vulnerability affects OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h. The vulnerable code in these versions of OpenSSL does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information.

The patch to this vulnerability has been released on Fri, May 16th 2014. It correctly checks when to accept the CCS message. The following code snippet sets the new SSL3_FLAGS_CCS_OK flag in order to achieve this:

And the following code tests the flag before processing the CCS message:

To eliminate the vulnerabilities, please upgrade to the following versions accordingly:

  • OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
  • OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Dell SonicWALL has researched this vulnerability and released the following IPS signature to protect their customers:

  • IPS: 10386 Excessive SSL Change Cipher Spec Messages.

Dell SonicWALL has also released another IPS signature to cover DTLS invalid fragment vulnerability (CVE-2014-0195).

  • IPS: 10387 OpenSSL DTLS Fragmentation DoS

CA ERwin Web Portal Directory Traversal (May 30, 2014)

/in /by

The CA ERwin Web Portal is a simple, customizable, web-based interface that helps users to visualize the important metadata information that is stored in CA ERwin Data Modeler. It allows easy access to information via the web, with a variety of presentation and search formats to cater to a wide range of user types in the organization. The interface serves HTTP requests on port TCP/19980.

CA ERwin Web Portal provides users the ability to download XML configuration files from default configuration directory fulfilled by ConfigServiceProviderServlet servlet on the server. The following is definition of this servlet: 

  ConfigServiceProvider MITI.mimbagent.ConfigServiceProviderServlet 3

A directory traversal vulnerability exists in CA ERwin Web Portal. The vulnerable code fails to properly sanitize the “..” directory traversal pattern in the user supplied data. This allows an attack to create/overwrite XML files outside the designed content folder, which can lead to security restriction bypassing and possibly remote code execution.

Dell SonicWALL threat team has researched this vulnerability and released the following IPS signature for it.

  • IPS:3865 CA ERwin Web Portal Directory Traversal 3

This vulnerability is referred by CVE as CVE-2014-2210.

Dropper Trojan leaks user data (May 30, 2014)

/in /by

The Dell Sonicwall Threats Research team has discovered an info stealer Trojan that leaks system information. It uses SSL to communicate with remote C&C servers. The malware analysed here appears to be a dropper Trojan that can download and run further malware.

Infection Cycle:

The Trojan uses the following icon to masquerade as a harmless PDF file:

The Trojan adds the following file to the filesystem:

  • %APPDATA%Microsoftqfmcommon.exe [Detected as GAV: Dapato.EBEE (Trojan)]
  • %APPDATA%2288127.bat (contains cleanup code to delete original executable)

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun qfmcommon.exe “%APPDATA%Microsoftqfmcommon.exe”

Upon execution the Trojan injects code into a running instance of explorer.exe:

The injected code makes the following post request to a remote C&C server using SSL over port 8080:

The encrypted data that is sent contains the following data. It contains the session username and geographical information amongst other data:

The above request causes the C&C server to return a malicious executable:

The following C&C server IP addresses were discovered in the injected code. The Trojan tries each server until it receives a reply:

The Trojan continually cycles through the list of C&C servers and downloads an executable if the connection is successful. The executable downloaded can lead to malware from any family designated by the operators.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Dapato.EBEE (Trojan)

Spam campaign roundup: The Memorial Day Edition (May 23, 2014)

/in /by

This coming Monday is Memorial Day. It is the day of honoring American soldiers who died serving the country in wars and it also marks the unofficial start of summer in the United States. This holiday weekend is also one of the biggest sale weekends of the year. While consumers are planning to shop, cyber criminals are taking advantage of such individuals by sending unsolicited advertisements for products and services that often yield to fraud, phishing and even malware.

Over the last week, the Dell SonicWALL threats research team has been tracking down all Memorial Day related spam emails.

As the Memorial Day weekend approaches, we are receiving an increasing amount of this holiday related spam emails. These emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to deep discounts and offers. Most of these emails are poorly crafted with evident errors in grammar and spelling. The following are some of the most common email subjects:

  • Ann up until Memorial Day, get a new iPhone 5s for $4.50
  • This will breaking some records (Memorial Day)
  • Shop for Memorial Day Weekend with this Costco Voucher, for: Johnbiggles, Gift Card #1089007xxx
  • Levi_r reward bucks to use this Memorial Day
  • Annual Memorial Day savings are here!
  • Memorial Day Vehicle Clearance Sale
  • Use this JCPenney coupon during checkout for Memorial Day SAVINGS

Some emails are purporting to come from popular department stores or restaurant chains promising gift cards or coupons, that when clicked would take you to a URL different from the real merchant’s website. The consumer will then be asked to enter their personal information and to participate in a number of “offers” often costing money in fees or subscriptions without the guarantee of ever receiving the products and services or the free gift card at the end of the process.

Figure 2: Email redirecting to gitcarddatabaseofcostco.com

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWall Gateway Antivirus monitors and provides constant protection against such malicious spam and phishing threats.

Internet Explorer Vulnerability CVE-2014-1776 Exploit Analysis(May 23, 2014)

/in /by

Dell Sonicwall Threat research team has analyzed the Internet Explorer Vulnerability CVE-2014-1776.
Earlier, we had addressed this vulnerability when Microsoft had released an out of band Security Advisory(2963983).

Following, shows an Analysis of how this attack is carried out.

The attack gets to the victim’s system via a webpage containing crafted malicious HTML document that exploits a use-after-free condition to achieve memory corruption.

The HTML contains reference to SWF which also does bulk of work.
Following shows the decompiled ActionScript that shows how Vector object is used along with the reference to eim which is an external javascript function.

The eim function contains code to trigger vulnerability point.

SWF is also tasked to check the browser version and act accordingly.

It also checks and sets the cookie to monitor the number of runs.

This is how ActionScript looks up the ZwprotectVirtualmemory utilized to create a reliable executable shellcode using ROP Chain.

We have implemented following signatures to detect the attack.

  • IPS:3787 Internet Explorer Memory Corruption Vulnerability (CVE-2014-1776)
  • SPY:3367 Malformed-File swf.OT.9
  • SPY:2290 Malformed-File swf.OT.8

AndroidLocker ransomware targeting android phones (May 15, 2014))

/in /by

The Dell SonicWall Threats Research Team observed reports of an Android malware that locks up mobile devices until the victims pay a ransom to unlock the phone, called AndroidLocker. The message displayed looks like a warning from FBI for viewing, storage, and/or dissemination of banned pornography (child pornography/zoophilia/rape etc) to scare the victim and ask for ransom.

Infection Cycle

Before installation the app requests for the following permissions:

  • receive_boot_completed (automatically start at boot)
  • internet (full Internet access)
  • wake_lock (prevent phone from sleeping)
  • read_phone_state (read phone state and identity)

These permissions allow the application to access sensitive user information such as the serial number, phone number, etc.

After installation, the application appears with a fake name “BaDoink”. Once the user opens the application, it will trigger the ransomware locking activity displaying the fake FBI alert. The users falling prey to these scare tactics will end up paying the ransom amount in order to avoid the charges and to get their phone unlocked. The malware leverages Geolocation API to display the warning tailored to the place the victim resides in.

Looking at AndroidManifest.xml, since it has the BootstrapReceiver set to the highest priority of 999, it would not allow any other application to run on the phone.

It sets an alarm to invoke com.android.ScheduleLockReceiver and com.android.SheduleUnlockReceiver periodically:

It also tries to connect to the following domains:

During our analysis, the sample tried to communicate with police-strong-mobile.com.

It steals the device information and connects to the above domain to display the lock screen:

The lock page is obtained from this server as shown below:

It displays that the amount of fine is 300$. You can settle the fine with MoneyPak xpress Packet vouchers at retail stores such as 7Eleven, Walmart, Kmart, Walgreens, CVS.

We are seeing an increasing number of malware families starting to target Mobile devices in addition to personal computers. This is the first instance we saw from the AndroidLocker Ransomware family which is the latest addition to the fast growing list of mobile malware families. Users are advised to be extremely cautious when installing applications from non-trusted third party sources.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: AndroidOS.Koler.A (Trojan)