Sponsored by..

Showing posts with label Android. Show all posts
Showing posts with label Android. Show all posts

Thursday, 24 April 2014

OnePlus One

[Via]

Expected Q2 201423rd April 2014

Possibly the greatest smartphone you have never heard of, the OnePlus One is an attractive, premium smartphone without the expensive price-tag.



OnePlus is a startup founded late last year by Pete Lau, vice-president of up-and-coming Chinese firm OPPO. The stated design philosophy of OnePlus is "Never Settle" which is reflected in an apparently very high quality of product design. The OnePlus One manages to look both smart and distinctive at the same time.

Elegance is sometimes only skin-deep, so what lies underneath the One's pleasing exterior? Inside is a 2.5GHz quad-core Qualcomm Snapdragon CPU with 3GB of RAM, 16 or 64GB of storage and a large 3100 mAh battery. On the front is a 5.5" 1080 x 1920 pixel full HD display with a 13 megapixel camera on the back and a 5 megapixel one on the front. It's worth noting that the main camera is a Sony Exmor unit which has a proven track record in this type of device.

This is an LTE-capable device with NFC support and all the usual high-end features. But there are some more unusual features too.. prefer on-screen navigation buttons? You can have those. Prefer the buttons at the bottom? Well, you can switch on those instead. Want to personalise your phone? You can change the back of the device, and you can even use a wooden panel like the Moto X. In fact, the OnePlus One seems to be full of little design details that lift it way above the run-of-the-mill and allow it to compete with leaders such as the HTC One M8 and Apple iPhone 5S.

The operating system is Cyanogenmod 11S which is a reworking of Android 4.4. Cyanogenmod is popular with people who like to create custom ROMs for their Android devices, and it has a dedicated following of users and developers. You can control the OnePlus with gesture control and pretty much customise it in exactly they way you want.. something that can be difficult with other Android handsets.

The hardware and software look appealing.. but what about the price? OnePlus say that the One will cost $299 / €269 for the 16GB Silk White version or $349 / €299 for the 64GB Sandstone Black version. Initial markets will be the US most of Western Europe* plus Hong Kong and Taiwan.


 That price is about half that of the HTC One M8 which is probably the best handset on the market at the time of writing. OnePlus say that the One should be available during Q2 although the initial release looks like it will be through invitation only. More details can be found on their website at oneplus.net.

One word of warning though - OnePlus are a completely new startup and the company has no track record in getting products to market (although many of their employees do). It's quite possible that the product might ship late (or not at all), the price might change or the quality might not be up to scratch. But we certainly hope that this handset is as good as it promises to be.

* Austria, Belgium, Denmark, Finland, France, Germany, Italy, Netherlands, Portugal, Spain, Sweden, United Kingdom.

OnePlus One at a glance
Available:
Q2 2014
Network:
GSM 850 / 900 / 1800 / 1900
UMTS 850 / 900 / 1700 / 1900 / 2100
LTE Bands 1 / 3 / 4 / 7 / 17 / 38 / 40
Data:
GPRS + EDGE + UMTS (3G) + HSPA+ +
LTE + WiFi
Screen:
5.5" 1080 x 1920 pixels
Camera:
13 megapixels (main)
5 megapixels (sub)
Size:
Large smartphone
153 x 76 x 8.9mm / 162 grams
Bluetooth:
Yes
Internal memory:
16GB / 64GB
Memory card:
None
CPU:
2.5GHz quad-core
RAM:
3GB
Java:
Optional
GPS:
Yes (plus GLONASS)
OS:
Cyanogenmod 11S / Android 4.4
Battery life:
Not specified (3100 mAh cell)


Friday, 21 February 2014

Something evil on 74.50.122.8, 5.61.36.231 and 94.185.85.131

Thanks to @Techhelplistcom for the heads up on this little mystery..



It all starts with a spam evil (described here)..

The link goes to a URLquery report that seems pretty inconclusive,  mentioning a URL of [donotclick]overcomingthefearofbeingfabulous.com/xjvnsqk/fbktojkxbxp.php [an apparently poorly secured server at 74.50.122.8, Total Internet Solutions Pvt. Ltd in India] that just does a redirect to a spammy diet pill site at thefxs.com [94.177.128.10, Linkzone Media Romania] if you have a Windows User Agent set.

As Techhelplist says, set the UA to an Android one and you get a very different result. In this case you get bounced to a site hosted on 5.61.36.231 (3NT Solutions / Inferno.name)
[donotclick]mobile.downloadadobecentral.ru/FLVupdate.php  then to
[donotclick]mobile.downloadadobecentral.ru/FLVupdate2.php from where it attempts to download a file FlashUpdate.apk

3NT Solutions / inferno.name is a known bad actor and you should block all their IPs on sight, in this case they have a netblock 5.61.32.0/20 which I strongly recommend that you route to the bitbucket.

FlashUpdate.apk has a VirusTotal detection rate of 22/47, but most Android users are probably not running anti-virus software. The Andrubis analysis of that .apk shows a network connection to 94.185.85.131 (Netrouting Telecom, Sweden) plus (oddly) some pages loaded from ticketmaster.com.

It just goes to show that what you think might be harmless spam can actually be something very, very different if you access it on a mobile device.

Recommended blocklist:
5.61.32.0/20
94.177.128.10
74.50.122.8
94.185.85.131
downloadadobecentral.ru
jariaku.ru
350600700200.ru
overcomingthefearofbeingfabulous.com

UPDATE 2014-05-25: Note that overcomingthefearofbeingfabulous.com has been cleaned up and appears to be no longer compromised.

Friday, 20 September 2013

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127

I am indebted to Gary Warner for his analysis of this malware. But I can't resist having a poke at it myself. This malware is particularly cunning.

First of all, it starts with a WhatsApp-themed spam:

From:     WhatsApp Messaging Service
Date:     20 September 2013 19:36
Subject:     3 New Voicemail(s)

WhatsApp

You have a new voicemail!
Details
Time of Call: Sep-17 2013 04:05:07
Lenth of Call: 04 seconds

Play

*If you cannot play, move message to the "Inbox" folder.

2013 WhatsApp Inc 

I'm sort-of-vaguely aware of the existence of WhatsApp in the same way that I am vaguely aware of my wife's birthday. Here's the thing though.. click on the link on the PC and you get a fake Plesk 404 page (see this report). But click on it using an Android device and you get something very different.

So, armed with a random Android user agent string and WGET, I accessed the link (in this case [donotclick]www.organocontinuo.com/app.php?message=hADXwckiPdaYKjapSiWJyMR/guGMDz4l8/PCDGmSemg=) and ended up with a 2,735,848 byte file called WhatsApp.apk instead.

I didn't test this on an Android device or the ADK, but apparently it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48, but who runs anti-virus software on their Android? (If you aren't running AV, then try this).

So what does it do? Well, I've been using the Anubis sandbox to analyse Windows binaries for a while, but it can analyse the results of Android .apk files too, which is pretty darned cool. And this is what Anubis sees the malicious Android app doing.

Now, if you've read Gary's blog then you will know that this is an Android-based fake anti-virus application. Anubis says that the application's reported URL is defenderandroid.org but I am not sure if this is fake. However, the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before [1] [2] [3].

Up until April, the IP  219.235.1.127  hosted the domains w0580.com and juyuanfang.com, both registered to the same person using the email address sisibin@qq.com. I do not know if they are connected with the fake AV in any way.

Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe.

Friday, 4 May 2012

Xvideos.com IP hosting malware C&C servers

For the latest analysis, see the update at the bottom of this post.

I've written about malware on xvideos.com before.. this is the 52nd most popular site in the world, and is one of the world's most popular porn sites. The last time, the xvideos.com site itself was infecting visitors. This time it's something a bit more subtle, and if affects Android smartphone users.

The Naked Security blog and Lookout Security blog analyse a report on Reddit about an infected web page that appeared to impact Android devices. The analysis by the two blogs comes up with two different C&C servers for the malware - 3na3budet9.ru and notcompatibleapp.eu, both hosted on 141.0.172.199.

This IP address is significant, because it is one used by Xvideos.com:

05/04/12 10:50:08 dns xvideos.com
Mail for xvideos.com is handled by aspmx3.googlemail.com aspmx2.googlemail.com alt2.aspmx.l.google.com alt1.aspmx.l.google.com aspmx.l.google.com aspmx5.googlemail.com aspmx4.googlemail.com
Canonical name: xvideos.com
Addresses:
  141.0.172.197
  141.0.172.198
  141.0.172.199
  141.0.172.200
  141.0.172.201
  141.0.172.202
  141.0.172.204
  141.0.172.205
  141.0.172.206
  141.0.172.207
  141.0.172.208
  141.0.172.209
  141.0.172.210
  141.0.172.211

You can probably safely block the whole 141.0.172.0/24 if you want. Do who exactly is xvideos.com? Well, it claims to be a Hong Kong company called Copypaste Ltd:

Handle..............: CLI-299346
    Name................: Copypaste Limited
    Street..............: 3/F, 65 Wyndham street, Central district
    Postalcode..........: N/A
    City................: Hong Kong
    Province............: HK
    Country.............: HK
    E-mail..............: domain@copypaste-limited.com
    Phone...............: +852 2530 1793
 
These IPs are operated by Reality Check Network, and form part of AS46652 which doesn't have a stellar reputation:

Safe Browsing

Diagnostic page for AS46652 (RCN)

What happened when Google visited sites hosted on this network?
Of the 414 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, xnxx.com/, porn.to/, burningcamel.com/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2012-05-04, and the last time suspicious content was found was on 2012-04-23.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 3 site(s) on this network, including, for example, egameads.com/, plugrush.com/, jshell.net/, that appeared to function as intermediaries for the infection of 6 other site(s) including, for example, bestof-youtube.com/, jsfiddle.net/, zff.co/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 1 site(s), including, for example, jshell.net/, that infected 1 other site(s), including, for example, jsfiddle.net/.
The question is.. are xvideos.com deliberately hosting these malware C&C servers, or have they been compromised in some way? It's difficult to say, but I would certainly recommend that you do your porn surfing elsewhere as long as this carries on.

Update 13/6/12: these domains still resolve to the xvideos.com IP, but the C&C servers appear not to be functioning. As some of the commenters say, it could be that the bad guys simply pointed their DNS to xvideos.com at random, although out of all the IP addresses they could choose it's odd that they chose the one they did. At the moment, xvideos.com appears clean but there are several related sites and netblocks which should be avoided.

In particular, the AS46652 block is extremely dangerous. Google's diagnostic page says that 181 out of 603 sites in that block serve malware. If you want to block this AS then the IPs appear to be:
69.55.48.0/20
141.0.168.0/24   
141.0.172.0/22   
38.74.208.0/20

Thursday, 3 May 2012

Samsung Galaxy S III

I think it's fair to say.. that this is a very, very nice device indeed. Quad-core CPU, Android 4.0, a big HD screen and lots of goodies that will distract you from the (presumably) wallet emptying price. Yes.. it's the Samsung Galaxy S III which is probably the second most anticipated device of the year after the iPhone 5!

[Via]

Tuesday, 14 February 2012

This why I won't be using F-Secure Mobile Security

F-Secure Mobile Security is not a bad product - it includes anti-theft software, a virus scanner and a supposedly secure browser. In the UK, F-Secure charge £29.95 a year for this, which is pricey for an Android application, but usually F-Secure products are very good. You can get a month's free trial before you buy.

It has some strengths and weaknesses. But I won't upgrading to the paid version. Why not? Well, every day the same nag message comes up:
F-Secure would like to have your phone number for the purposes of possible product information and marketing related messaging. The cost of approval is that of one-stime standard SMS to Finland. Do you agree?
There are two buttons.. Yes and No. Click "No" and the message seems to go away.. until the next day. And the day after that. And the day after that. You get the picture. Either this is a bug or it is a very aggressive attempt to get you to agree to SMS marketing. Either way it's a big turnoff and I'll be looking for another product to protect my Android..

Tuesday, 11 October 2011

Cyanogenmod.com compromised with warlikedisobey.org injection

Cyanogenmod.com is a site offering legitmate custom firmware for Android devices. It's a popular site, pulling in about 100,000 unique US users per day according to compete.com and it has an Alexa rank of 6728.

Unfortunately, the site has been compromised in an injection attack with a hard-to-diagnose piece of malware attempting to load code from warlikedisobey.org/coehegzxw8xgahtrb on 66.197.158.102. The code seems resistant to several common analysis tools. The injection attack is hidden on the very first line of HTML on the home page.. you have to scroll a long way right to see it.

Update 12/10: it looks like the site is currently clean, but it might get re-infected if the core problem hasn't been fixed.

Update 20/10:  it turns out that it isn't clean at all, but the exploit code is not present all the time. It could be that something is going on at Cloudflare who provide load balancing for the site, but I've never seen that sort of issue with Cloudflare before.

I haven't been able to analyse the payload yet. There is a possibility that it might target Android devices.

The domain is registered through Bizcn.com in China to the following registrant:

Registrant ID:orgff14354361081
Registrant Name:Henry Nguyen Gong
Registrant Organization:Privacy-Protect.cn
Registrant Street1:Rue la produit 34
Registrant Street2:
Registrant Street3:
Registrant City:Nimes
Registrant State/Province:Languedoc-Roussillon
Registrant Postal Code:30189
Registrant Country:FR
Registrant Phone:+33.466583875
Registrant Phone Ext.:
Registrant FAX:+33.466583875
Registrant FAX Ext.:
Registrant Email:contact@privacy-protect.cn


privacy-protect.cn is very commonly used by criminals to cover their tracks.A Google search for 66.197.158.102 indicates that the IP address is in use by several malicious domains (listed below).

A look at the Cyanogenmod.com forums indicates that similar attacks have been happening since September 25th:


Does anyone know what this is? I got a warning from Norton with High severity saying I was attacked by sloughsputter.org and warlikedisobey.org from 66.197.158.102:80 when I entered into the touchpad forum for this website. The IPS alert name is: web attack malicious exploit kit website at High risk 

Blocking traffic to 66.197.158.102 is probably a good idea. It looks like there may be other problems in 66.197.158.0/24 so you could block the whole range as a precaution.

The following domains are hosted on 66.197.158.102:


acclaimpump.org
acreafloat.org
aeroadore.org
affairmedley.org
afraiddown.org
againindorse.org
alertworsted.org
analyseshort.org
ardorloathe.org
arraigngarment.org
assortsetto.org
bakedemure.org
balloontroops.org
baskettubular.org
beandown.org
bedridpollute.org
benttopple.org
bequestramble.org
blazefiddle.org
blisswilds.org
boardbutts.org
bringgreed.org
bunkscamp.org
burntbrought.org
butchermeetm.org
bywordtoll.org
cackleshaggy.org
capsuletrapeze.org
carptheirs.org
cellarprank.org
cellchin.org
cementshout.org
choreuphold.org
clamourunion.org
classiclily.org
clerkinure.org
comechirp.org
crafttexture.org
damaskslab.org
declaimtaunt.org
decreecattle.org
delayabrige.org
desisthateful.org
deskoccur.org
devoidshed.org
dimsadden.org
dirttouchy.org
discernpitcher.org
divingpeddle.org
dotingbouquet.org
eclipsedensity.org
economyjersey.org
elateexample.org
elkrecline.org
embraceniece.org
enigmaflutter.org
enjoyocean.org
enrolcaw.org
estril.org
eventliving.org
evermist.org
eyescanty.org
facingsinvade.org
factionchurch.org
fallacypour.org
fangwrath.org
fiancesardine.org
fishingbeet.org
flaxnap.org
foggystudent.org
foresttruck.org
fuzzoffal.org
gailyflounce.org
gazettesay.org
ghatlend.org
ghatreds.org
gibbetshook.org
gladespilt.org
godliketourist.org
goodantics.org
grandetidings.org
grenadeabove.org
gruver.org
gulpillegal.org
halcyonet.com
hamcadet.org
heronuntrue.org
hideousmindful.org
hillocksaunter.org
horntreason.org
hotspurequal.org
hourmesh.org
hulknutmeg.org
hungermouth.org
hymnrough.org
idearevel.org
ignservice.com
inclosegem.org
incurhealth.org
inducttrunk.org
innentry.org
innersoloist.org
inroadperish.org
installherb.org
intentbell.org
ironingonset.org
itemizefir.org
jarabroad.org
javarequest.com
javatooltip.com
jewishdin.org
jocularputrefy.org
jstooltip.com
juicecaulk.org
justlysubtle.org
kalmup.org
kinoutlaw.org
lambkinclad.org
laundrysudden.org
leanspeck.org
letconsul.org
libelconvoy.org
lieweld.org
likesfetter.org
linseedpaste.org
lodgersow.org
loitercash.org
longingashamed.org
lowlymeaty.org
lowsnooze.org
maniashow.org
mashscamp.org
maximumnone.org
memoirsmatrix.org
milletavoid.org
miserytenure.org
modernbin.org
morphiaseaside.org
movingsnip.org
mummeryscales.org
musterydecoy.org
muzzleastute.org
nationearn.org
naughtgrubby.org
nestjolt.org
netllookup.com
nightlyseeds.org
nodeconvert.org
noisomechicane.org
nominalunwary.org
nullcandy.org
numbuse.org
oatmealfrisk.org
oatmealshatter.org
opticmoving.org
orationyou.org
orderdid.org
orhanhundred.org
otspark.org
overrunwooden.org
pactcelery.org
pastrydug.org
pedalslacken.org
pentfinite.org
pentmull.org
phantombecame.org
phantomsell.org
pigskinturn.org
pilgrimstrut.org
plentyvicious.org
plumtreacle.org
pompousdenial.org
ponderbelong.org
popestrict.org
portionchagrin.org
posyhatch.org
potseclude.org
prancecontour.org
praysad.org
precededynamic.org
primacyresin.org
prosaiccube.org
provereject.org
puristar.org
purposestupid.org
quartpliancy.org
racialfreshe.org
rashcrowd.org
readerocular.org
rebirthfalcon.org
rectoryfeign.org
refereeshe.org
reflexpan.org
refundwine.org
remissdeceive.org
repentavow.org
repulsemaximum.org
riddensoot.org
rsstooltip.com
runletlanky.org
saintlunatic.org
sapammonia.org
savourotter.org
scumwoollen.org
seniormilage.org
shouldfasten.org
sinnerreflex.org
sirsize.org
skimlyrical.org
slopestipend.org
sorrelramble.org
sprutnetwork.com
squealflirt.org
staideconomy.org
starryplank.org
stowgranary.org
stripescud.org
studentfairly.org
stuffwrestle.org
stuntedvote.org
subdueshone.org
suctionbanking.org
suitebillion.org
sunnyscythe.org
superbhotbed.org
taintfurl.org
talkerrun.org
tasteleg.org
tensionwarble.org
testradiant.org
timelymaze.org
titledrutty.org
toiletarchway.org
torturetactful.org
totaltwelfth.org
trafficgarland.org
trashnote.org
trickleivy.org
trivialappears.org
tunebask.org
turbidworship.org
undoingperfect.org
unduedome.org
unitepulpit.org
unshipreckon.org
usheronce.org
vacancyagainst.org
veinassert.org
vileisolate.org
visapeer.org
votegroggy.org
voyagebud.org
vultureoffer.org
waivertouch.org
warlikedisobey.org
waspad.org
wastefuzz.org
wedanthem.org
wettrend.org
whimperchart.org
widowerfeeble.org
wivestemple.org
woecake.org
woverecruit.org
wretchninny.org
zippuny.org

Tuesday, 23 September 2008

T-Mobile G1

It's kind of hard to tell if the T-Mobile G1 is the next big thing or just some sort of damp squib. It may not look as impressive as the iPhone on the top, but underneath the G1's Android operating system looks promising.

Oddly enough, it got me thinking about how I use my own phone.. and I tend to use web access more than anything else, but make only a couple of phone calls on it a week, sometimes I will listed to music or snap a photograph. I think I tried video calling once. So perhaps this G1 thingie is actually more in line with what a lot of sad geeky people like me actually want.

Anyway, this comes out in October in the US, November in the UK and early next year for other T-Mobile customers. Some more pictures are here.