News  General
Chinese hackers bribe mobile gaming company

Malware whitelisted

A sophisticated scam involving bribes, a legitimate anti-virus company, mobile apps and stenography has been uncovered in China.

This was not your usual malware attack.

In a multi-pronged operation, the first part was for the attackers to get Qihoo 360, the largest anti-virus company in China, to whitelist several malicious apps. They did this using social engineering techniques, which leveraged past business relationships in order to get them to abuse their trust.

The apps had to be on this whitelist because they had a very specific purpose in mind...

Employees bribed

The next stage of the attack was for the malware operators to bribe the employees of an authorised gaming company to embed their attacking code in one of their mobile apps. This app was on the Qihoo 360s whitelist, so users would not be alerted to any problems.

china arch snow 700x250

Finally, the payload of the malicious apps could be activated. Again, this was very unusual - it targeted, a very popular "eBay" type site in China., however, works a little differently - it uses an instant messaging app to allow users to send pictures of the items they are interested in. These pictures contained hidden nasties, however. Stenography was used to carry extra code over, whilst not affecting the image, so no one would have been aware anything was amiss.

Stenography was used to hide keyloggers

The hidden code sent in the images was a keylogger. Once implanted, every username, password, bank account number etc was being silently recorded and sent off to the bad guys. Even worse, the receiver of the image was the store owner, so it was their accounts the criminals behind the operation were specifically going for. Here's the sequence of events: 

qihoo 700x662

The scary part here is that the usual advice given to users of always going to legitimate app stores for apps wouldn't have helped, since the apps themselves had been whitelisted by a very reputable anti-virus company.

There is more information here