Mobile Malware Alert: “Bill Shocker” Can Cost Users Money

New mobile malware’s been discovered

NQ Mobile’s Security Research Center has unearthed a nasty piece of malware called “Bill Shocker.” Using our proprietary RiskRanker™ cloud scanning engine, our engineers have confirmed this disturbing discovery.

What makes it shocking? First, it’s potentially one of the most costly viruses yet discovered. In addition, it’s already impacted over 600,000 users in China, and presents a potential threat to Android devices worldwide.

How this particular infection spreads

Bill Shocker is an SDK-type virus (Software Development Kit). Our experts, using NQ’s RiskRanker system, found the virus attached to several of the most popular mobile apps in China, including Tencent QQ Messenger and Sohu News. Third-party online app stores and retail installation channels are distributing the infected versions of these apps, which is allowing them to spread like wildfire.

What Can Bill Shocker Do?

Bill Shocker malware silently downloads itself in the background of your mobile device without your knowledge. It takes remote control of the device, including your contact list, Internet connections, dialing and texting functions. Once it’s turned your phone into a “zombie,” it sends text messages that create financial gains for advertisers. In many cases, the threat will overrun a user’s bundling quota, which subjects you to even more unwanted charges.

NQ Mobile’s RiskRanker system identifies potentially dangerous apps before they have the opportunity to impact users’ phone bills. RiskRanker determined that the Bill Shocker malware is capable of upgrading itself and automatically expanding to other apps, multiplying its potentially disastrous effects.

What we’re doing about it

Because Bill Shocker can be used to send costly messages remotely, NQ Mobile believes it poses a serious threat to Android users.

  • We’ve already inoculated our cloud-based NQ Mobile Security product to keep our customers safe.
  • As a public service, NQ Mobile has posted an anti-malware app to help protect all Android users. It can be found here.
  • Our researchers have alerted Chinese mobile carriers of the threat to prevent the spread of these kinds of threats.  We’ve also provided our RiskRanker cloud-scanning engine to China’s top mobile carriers including, China Mobile and China Unicom as well as Baidu Mobile Services, to help them prevent any further spread of malicious mobile viruses.

NQ Mobile technology helps to curb the spread of malware such as Bill Shocker and variants across borders and oceans. However, this is an important reminder that these threats are very real and can have devastating effects. With its proprietary threat detection system that includes the collective intelligence provided by users in more than 150 countries, NQ Mobile finds most threats before anyone else.

Our tips to avoid mobile infection

To avoid becoming a victim of mobile malware, our experts ask you to follow some common-sense guidelines for smartphone security:

1) Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading.

2) Never accept application requests from unknown sources. Closely monitor permissions requested by any application; an application should not request permission to do more than what it offers in its official list of features.

3) Be alert for unusual behavior on the part of mobile phones and be sure to download a trusted security application that can scan the applications being downloaded onto your mobile device. NQ Mobile Security users are already fully protected from the “Bill Shocker” threat.

NQ Mobile Security for Android is available for download from our website, and on Google Play.

Read our news release.

5 Smartphone Rules for Kids on Data Privacy Day

In honor of Data Privacy Day, January 28, 2013, we’ve outlined just a few basic rules of thumb to discuss with your kids. Just like you, we want them to be smarter and safer smartphone users.

1.  Have your kids make sure their smartphone password is complex enough that it can’t be guessed. This simple rule has been repeated so many times, it’s amazing how many kids think it just doesn’t apply to them. But your kids need to know that cyber criminals have long lists of frequently-used passwords; they have methods and formulas to help them crack a password that’s too simple.  Sit down with together and try out an idea or two:

The first initials of words in a certain verse of a favorite song, with an added number and special character (upper case or punctuation character) makes a password easy to remember for the user, and hard to crack for a criminal.  Here’s a silly, but realistic example:  You are my sunshine, my only sunshine might be YAMSMOS!. Easy for you to remember, but not so easy for a thief to figure out.

 2.  Make it a family rule that no apps are to be downloaded without parental approval or, at least without a strong grasp of permission agreements.  If your kids are older teens, they should learn how to read an app’s terms and conditions. The terms frequently include permission to share their private data, and the info’s typically embedded in the fine print.  If your smartphone kids are younger, be sure you know how to read the permissions yourself, and make sure your kids’ data isn’t being spread to unknown sources.  Another simple rule for downloading apps:  No clicking on ads for free apps – ever!  They’re so often loaded with malware, it’s not worth the risk. Remember, nothing is really free.  And, while you’re at it, tell your kids that urgent messages asking for personal information updates are to be strictly ignored.

3.  The geo-location features on your kids’ phones needs to be in the off position unless there’s a specific travel and tracking plan. When they’ve arrived or finished using the feature, it should be returned to the off position – no exceptions. Geo-location features are an amazing boon to smartphone technology and add an entire layer of usability for adults. But, they’re also used by predators to track kids’ locations and activities. In the same way we teach kids not to open the door to a stranger, we need to teach them to keep the geo-door shut on their smartphones. It’s simple, but critical to safety and privacy.

4.  Be sure your family’s phones all have a strong security package installed. There’s no substitute for a product that catches bad stuff before it reaches your handset.  As parents, we can rest easier knowing our kids aren’t picking up viruses and malware. If you feel the need to monitor your kids’ smartphone activities, download a parental guidance package that will let you block undesirable content, and observe their activities without being intrusive.

5.  Finally, don’t post anything online that you wouldn’t feel comfortable showing your parents, teachers and grandparents…ever.

At NQ Mobile, we’re committed to teaching parents and kids how to stay safe on their smartphones. We’re champions of Data Privacy Day, and advocates for the best mobile security possible for everyone.  The National Cyber Safety Alliance has websites full of information, FAQs, tips and studies to help you learn the best online practices for your family, including their Stop,Think, Connect program.  We invite you to explore their material and share what you’ve learned with your kids.  Wishing you a productive and safe Data Privacy Day, Monday, January 28, 2013!

How social network privacy settings could damage your future

facebook privacy

January 28th is National Data Privacy Day, a nationwide effort to raise awareness about the importance of taking steps to protect the privacy of your personal and financial data. In the week leading up to Data Privacy Day we’ll be focusing on the best methods to protect your personal data from harm.

Regular users of social media are mostly cautious about the content they post online, but a single mistake could greatly affect their future. An increasing number of companies and schools are monitoring the social network activity of employees and students, both current and potential candidates, and any bad behavior could influence a negative reaction.

Having your online actions monitored starts at an early age. Just recently a suburban Los Angeles school district started paying a private company to monitor and report on 14,000 middle school and high school students. The program is meant to enhance the safety of students by alerting officials of any serious threats, mentions of suicide, or illegal actions. All children being monitored are over the age of 13, so no parental consent is required and some students may be unaware that people are watching them online. A bad joke, out-of-context post, or picture of a fake weapon could have serious consequences.

Once students move on to higher education, college admissions officers will be reviewing their social media profiles for any warning signs. A recent survey (.pdf) found that an increasing number of admissions officers perform Google searches on potential students and check out their social network history. Of those that looked up an applicant online, 35% said they discovered something online about an applicant that negatively impacted their application. That’s a 218% increase over the previous year and it should continue to increase as younger admissions officers who are more savvy with social media take over.

After students graduate, they will once again be screened by recruiters when they apply for jobs. A social recruiting survey (.pdf) found that 93% of recruiters are likely to look at a candidates social profile. Some of the things that caused negative reactions include references to illegal drugs, posts of a sexual nature, profanity, spelling errors, references to guns, and pictures of consumption of alcohol. After viewing content from a social profile, 42% of recruiters have reconsidered a candidate.

Here are some tips and questions you should ask to help protect you when using social networks.

  • Do you own your online presence?You don’t have to rely on “recommended” settings or default settings.  Learn about the controls available and make your own decisions.  It’s okay to limit with whom you share your information.  It is okay to not accept a friend request.
  • Do you know who will see what you post?Consider who may have access to your profile: family, friends, friends of friends, your school, college admissions officers, and potential employers? Set the privacy and security settings to your personal comfort level for information sharing.
  • Did you know your online reputation can help you? Create a strong, positive personal brand online for yourself online. Show your smarts, thoughtfulness, and mastery of the digital environment. This can help you with school admissions and during job searches.
  • Did you know your online reputation can hurt you?What you post will be around for a long time. Think ahead and evaluate if what you post today is what you will want people to know about you in the future.
  • Did you know your privacy is only as protected as your least reliable friend allows it to be?When you choose to share information with anyone in your networks, they can easily forward it or post. Make sure they will handle your information with care and trust.  Avoid sharing compromising photos and information.
  • Is your password long, strong and unique? Combine capital and lowercase letters with numbers and symbols in a unique password for each online account.  Passwords are personal information that should not be shared.
  • Do you know what information you should not share on a profile page?Your phone numbers, home address, full date of birth, travel plans, email address, class schedules, social security number, passwords, family financial information, bank or credit card numbers shouldn’t appear on your profile.
  • Do you know that your friends trust you with their information?Post only about others what you would have them post about you. It’s the golden rule.

Social media users should always think twice before posting something online and manage their privacy settings, but there is no fool proof way of hiding your online actions. Social networks are constantly changing their privacy policies and search engines make it easier to surface your online history. The best advice is to assume that any of your private online content could one day become public or just avoid posting questionable material online.

Employees Who Want BYOD: A Few Tips

Are you still discussing the pros and cons about bringing your own mobile devices to work? It’s a concept that’s been subject to debate for quite some time now, and many enterprises have resolved the issue by implementing new forms of network security, as well as strict policy guidelines for employees.

We each have a preference for certain types of gadgets, whether it’s our favorite smartphone or tablet. Being comfortable with our own devices could improve efficiency, after all. Also, if the corporation isn’t paying for our devices or monthly service, they should be happy to have employees use their own gadgets for work.  Shouldn’t they?

If management’s being a bit stubborn about allowing personal devices, consider the security challenges your employer and IT managers may need to address to accommodate this arrangement.

1.  Your company may need to adopt a mobile device management system to track devices connected to the enterprise’s network.  IT Managers may place  limitations on what you can use and what you can do on your smartphone or pad – for a good reason. Consider how many different makes, models and, operating systems are available to the consumer, and the risks those variations might present to a corporate system. The MDM (mobile device management) system is critical to the secure flow of information between the enterprise and individual mobile users.

2.  Mobile users download apps – a lot of apps. When corporate data is accessible on a personal device, infected apps can easily be transferred into the larger system and, likewise, proprietary information can be transferred out of the system. Mobile app management (MAM) is a complex aspect of security that must be incorporated to protect the security and health of the enterprise’s network. Your company may be forced to blacklist certain sites or apps, which may cramp your personal style. It’s a compromise.

3.  It seems unlikely, but when personal devices are used on the job, funds can get mixed up.  Especially when reps, agents and other less desk-intensive employees are out in the field, personal purchases can get inadvertently charged to the company, and corporate purchases end up on private charge accounts. Messy, and unacceptable. Again, your enterprise may be forced to place specific limits on mobile purchasing, just to avoid the potential accounting nightmares.

These are only just a few concerns from the corporate side of things, but resolving them can be complex and time-consuming. Certainly, other issues arise, such as those who spend an inordinate time on personal activities with their devices, and other personnel-related issues that come up.  The main point is, it’s not easy for a large network to maintain strong security while employees are tapping into data and documents with their personal devices.

So, be patient while your company figures it all out, follow their rules, and be sure to secure your own device with the strongest, most reliable mobile security on the market.

Do you have some thoughts or comments about the BYOD debate? Has your company got it all figured out? We’d love to hear from you on our blog, or join us on our Facebook page.

How secure is my password?

ENTER YOUR PASSWORDCreative Commons License marc falardeau via Compfight

January 28th is National Data Privacy Day, a nationwide effort to raise awareness about the importance of taking steps to protect the privacy of your personal and financial data. In the week leading up to Data Privacy Day we’ll be focusing on the best methods to protect your personal data from harm.

Passwords are not a perfect system, but they are the first line of defense against hackers and criminals. Many companies are already working on new standards that will replace the password, but for now the best strategy to protect your online accounts is to create strong passwords and keep them secure.

There are many tips for creating strong passwords, but a general rule is that length is the most important factor of password strength. If someone trying to guess your password was like finding a needle in a haystack, then it is critical to have a really big haystack. To understand what makes a strong password, you must explore the methods used to crack passwords.

The more common methods of password cracking involve dictionary attacks, pattern checking, and word list substitution. These types of attacks attempt to reduce the number trials required before a password is guessed. If these types of attacks are unsuccessful then a hacker might attempt a brute force hack or exhaustive key search, which consists of systematically checking all possible keys or passwords until the correct one is found.

This means that longer passwords should be harder to crack because they contain more possible combinations. A comic from xkcd jokes that a passphrase containing four random words like “correct horse battery staple” is harder to crack than a complex password containing numbers, letters, and symbols like “Tr0ub4dor&3.” They are mostly correct because the four random words have more key combinations that the shorter password, but it’s important to introduce a little randomness and complexity to make your passwords even stronger.

One of the best strategies for the strongest passwords is to combine two popular tactics – length and mutation. Length is pretty simple to understand and it involves creating a longer password with more characters, while mutation uses numbers and symbols to replace common letters.

For example the previous password “correct horse battery staple” could be strengthened by introducing some mutation and coming up with “c0rr3ct h0r$3 b@tt3ry st@pl3.” Long, complex passwords can be difficult to remember, but the use of passphrases with common words can make them easier to memorize.

Writing down your passwords is not a bad idea, but only if they are stored in a secret place that is not easily visible. One strategy might be to take a picture of you password and store it in a secure location like NQ Mobile Vault. Keep in mind that there is no way to reset your Vault password if you lose it, so it is important to keep a physical copy of any important passwords.

Don’t forget other basic tips like:

  • Using a unique password for each site
  • Turning on two-step authentication where available
  • Updating your browser and operating system to the latest version.
  • Making sure your password recovery options are set correctly

Hopefully the passwords that we know today will become a thing of the past, but we must focus on strong passwords until that happens.

CES 2013: Omar Khan Talks With a Cat


This gallery contains 3 photos.

The 2013 Consumer Electronics Show in Las Vegas last week was nothing short of fascinating.  Mingling with space-age gadget- designers and creative geniuses was our own Co-CEO, Omar Khan. Boonsri Dickinson from InfoWeek’s BYTE newsletter held a detailed interview with … Continue reading