12345

7/26/2011

[Warning] Spreading malicious e-mail with the content of credit card suspension

1. Introduction

Inflowing malicious e-mails masqueraded with the contents of credit card suspension are prevalent in these days, so that users who have credit card especially in overseas’ need special attention about prevalent malicious e-mail.
This malicious e-mail was written from overseas country though; those have been being sent in Korea via e-mail.


Because it was disguised as a "Credit card suspension information mail", in case of general credit card holder, they can see the mail and download and execute attachments without doubt.

2. Spreading path and symptoms of infection

This kind of malicious e-mail can be received on using internet by personal e-mail account information leakage. In addition malicious file attached in e-mail can be downloaded including SNS, Instant messenger.
This following figure is the one of those e-mails.

  
* Similar malicious e-mails 



* Mail body

Subject: Your credit card has been blocked

Dear User,

ATTENTION : Your credit card is blocked!
With your credit card was removed $ 586,96
Possibly illegal operation!
More info in the attached file.
Immediately contact your bank.
Best wishes, VISA CUSTOMER SERVICES.

Attachments: sample.exe

Subject: MASTER CARD TEAM 03

Dear Consumer,
Your credit card is blocked!
Your credit card was withdrawn $ 5107,94
Possibly illegal operation!
More information in the attached file.
Instantly contact your bank.
Best Wishes, MASTER CARD Team.

Attachments: fedex78123.exe

This mail leads user to download attachments for getting more details about credit card suspension.

Those malicious e-mails may contain following files as an attachments.



These attachments’ file name may be changed in vary. The files attached malicious e-mail are usually fake anti-virus installation file. Detailed analysis is on process.

3. How to prevent

General user can hardly notice something happened in his PC while spreading malicious file with using social engineering.
To use PC safely from security threats of these malicious files, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.

Diagnosis name

- Trojan/W32.Agent.81408.MM
- Trojan/W32.Agent.79872.KV
- Trojan/W32.Agent.67584.OP

7/18/2011

[Warning] Identified malicious application disguised as a Chinese Video Browser

1. Introduction

It's a big trend to repackage for malicious Android's application these days.
The technique "Repackaging" is inserting malicious code on the process of decompile based on normal APK file.
If infected, it is hard to be found the status being infected.
Therefore, the scope of infected range can be wider and wider.


Among those applications, a peculiar malicious application has been identified which was masqueraded and repackaged as a Chinese Video streaming service application.



2. Spreading path and symptoms of infection

Several variants of this malicious application are still being found, it spreads via black market and 3rd party market with the unique feature of this kind of repackaged applications.

First of all, it can be run on Android SDK 1.6 or higher in a stable manner.
This following figure describes permission requirement page on installation.


* Permission explanations

"android.permission.INTERNET"

"android.permission.ACCESS_NETWORK_STATE"

"android.permission.MOUNT_UNMOUNT_FILESYSTEMS"

"android.permission.SEND_SMS"

"android.permission.WRITE_EXTERNAL_STORAGE"

"android.permission.RECEIVE_BOOT_COMPLETED"

"android.permission.RECEIVE_SMS"

"android.permission.WRITE_SMS"

"android.permission.READ_SMS"

"com.android.launcher.permission.INSTALL_SHORTCUT"android:name="android.permission.BROADCAST_STICKY"

After the installation, this execution icon on following figure will be generated.




* Detailed analysis

After the installation, this following code will lead download and install additional malicious application on executing



* URL for downloading additional malicious

http://(~~).ku6.(~~)/(~~)/Android_video_201_gen_f001.apk

* Additinal downloaded malicious application

Following figure is captured screen after downloaded additional application from the above.
It looks like a normal application and can stream music normally.

* Captured screen on execution


 * Created icon


This malicious application has a purpose to AD in certain condition. And it contains link to download this application and can be sent via e-mail or SMS.

Also, it can send 6 text messages to China Mobile quietly.



The receiving number of China Mobile is a service number to check remained balance, mobile data usage, and so on. Also it can apply “Free Text Message” service.
On applied several services, certain amount of money might be paid due to those services. And requested “Free Text Message” service can be used both real-user and another user.

We assume that it requested the service with this phrase (“1~~6”, “8”, “”, this);.
Also, requested result can be received as a text message on choosing each menu. Furthermore, to deceive user on this progress, this malicious application can remove replying text messages with the following code.



According to the red box, it deletes text messages in case of the first sending number started from “10” with the red boxed code, if(s.startsWith(“10”)) abortBroadcast(); after inherited BroadcastReceiver without notice.
As a result, general user can’t notice something happened in his smartphone, even applying several services.

Together with those attempts, it can try to leak SIM card number of the smartphone to the external certain web site such as following figures.



Sneaked information can be used to make cloned phone illegally. In addition, it can check network connecting status and perform with specific code.

3. How to prevent

Currently, in case of malicious application for Android malicious application, it is a big trend to be disguised as a normal application, and the technique “REPACKAGING” is the most prevalent.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-SMS/Android.KuVideoSMS.A
- Trojan-SMS/Android.KuVideoSMS.B

7/15/2011

[Warning] Emerged malicious application disguised as a Kaspersky's mobile Anti-Virus SW

1. Introduction

Masqueraded as a module for Trusteer, famous provider of security solutions internationally, was revealed as a fake application.
Likewise disguising techniques are prevalent in these days.
This turn is for the KAV(Kaspersky Anti-Virus).
This tampered application is also made for behaving malicious functions.



2. Spreading path and symptoms of infection

In case of this kind of malicious application, it spreads via black market and 3rd party market.
Furthermore, disguised form as a normal application make user difficult to identify whether this application is normal or abnormal.

Following explanations will let you know its malicious behaviors.

* Symptoms on installation and execution

This following figure describes permission requirement page on installation.


 
* Permission explanations

android:name="android.permission.BROADCAST_STICKY"

android:name="android.permission.SYSTEM_ALERT_WINDOW"

android:name="android.permission.INTERNAL_SYSTEM_WINDOW"

android:name="android.permission.ADD_SYSTEM_SERVICE"

android:name="android.permission.VIBRATE"

android:name="android.permission.REORDER_TASKS"

android:name="android.permission.CHANGE_CONFIGURATION"

android:name="android.permission.WAKE_LOCK"

android:name="android.permission.STATUS_BAR"

android:name="android.permission.ACCESS_WIFI_STATE"

android:name="android.permission.READ_PHONE_STATE"

android:name="android.permission.MODIFY_PHONE_STATE"

android:name="android.permission.DEVICE_POWER"

android:name="android.permission.DISABLE_KEYGUARD"

android:name="android.permission.INTERNET"

android:name="android.permission.WRITE_APN_SETTINGS"

android:name="android.permission.BROADCAST_WAP_PUSH"

android:name="android.permission.CHANGE_WIFI_STATE"

android:name="android.permission.ACCESS_NETWORK_STATE"

android:name="android.permission.CHANGE_NETWORK_STATE"

android:name="android.permission.RECEIVE_BOOT_COMPLETED"

android:name="android.permission.READ_SMS"

android:name="android.permission.RECEIVE_SMS"

android:name="android.permission.BROADCAST_SMS"

android:name="android.permission.WRITE_SETTINGS"

android:name="android.permission.ACCESS_WIFI_STATE"

android:name="android.permission.UPDATE_DEVICE_STATS"

android:name="android.permission.CHANGE_WIFI_STATE"

android:name="android.permission.WAKE_LOCK"

android:name="android.permission.READ_PHONE_STATE"

android:name="android.permission.WRITE_SECURE"

android:name="android.permission.WRITE_SECURE_SETTINGS"

android:name="android.permission.WRITE_EXTERNAL_STORAGE"

android:name="android.permission.PROCESS_OUTGOING_CALLS"


* This following figure describes permission requirement page on installation.
Permissions, listed above, can't be used in this malicious application. Let's find out the reason in detailed analysis on following:.

And it adopted similar icon in comparison with Kaspersky Mobile’s .


After the installation, activating code will be shown on executing malicious application.
Clicking “OK” will terminate this application without additional behavior.




* Detailed analysis

When the first run this application, it will acquire IMEI information due to following code and print some of information as an activating code.



Not only IMEI information for this code, but it collects IMSI and contacts information and will send certain C&C (Command and Control) server.



Since the C&C server destination is set local address, collected information can’t be spread outbound. However, there is a possibility to emerge additional application, totally compatible with this program.
Including malicious behaviors above, it can collect SMS information and calling status.





3. How to prevent

Since there is a flaw about calling malicious method in this application, it can’t perform malicious functions perfectly.
But, there are still potential possibilities to be combined and co-work another malicious application
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.
  
Diagnosis name

- Trojan-Spy/Android.FakeKav.A

[Warning] Spreads malicious file disguised as a “ALYAC” product.

1. Introduction 
 
Malicious program made for sponser's advertisement and masqueraded as a domestic security products "ALYAC" is spreading throughout public local web portals, blogs and forums.
Therefore, users need special attention about prevalent malicious file.








2. Spreading path and symptoms of infection

This kind of malicious program adopted its download and installation methods through using shorten URL in any part of internet. We can easily see bunch of shorten URLs and even click those in case of.
Therefore, users who click those links without thinking need special attention about those malicious files.

In particular, this malicious program is masqueraded as one of Korean anti-virus software.


Downloaded malicious file is a set of SFX(self-extracting executable file), and shows brief additional adware explanation.


With the figure above, this connects certain domain server and tries to install.


After extracted, 2 files will be existed in following path. And several shortcuts for accessing affiliate marketing site will be created in Desktop.

* Generated file information

C:\Documents and Settings\(user account)\Desktop\temp.zip
C:\Documents and Settings\(user account)\My Documents\alyac2.0\alyac2.0.jpg

Downloaded temp.zip(zip file) contains "alyac2.0.jpg" file and explanation and download path of "alyac V2.0 beta".

알약2.0.jpg
* Registry information (Auto start on boot)
  
  
1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- Value name : SmartToolUDF
- Value data : C:\Documents and Settings\(user account)\Local Settings\Application Data\Microsoft\SmartTool\SmartToolUDF.exe
2. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : AntiDefendMain
- value data : C:\Program Files\AntiDefend\AntiDefend.exe /Boot
3. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : PrivacyView
- value data : C:\Program Files\PrivacyView\PrivacyView.exe /run1
4. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : sevenlink
- value data : C:\Program Files\Sevenlink\sevenlink.exe
5. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : SmartTool
- value data : C:\Program Files\SmartTool\SmartTool.exe
6. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- value name : SearchNQ
- value data : C:\Program Files\SearchNQ\SearchNQ.exe

3. How to prevent

In this kind of malicious program is generated for advertisement and benefit of the company, it can damage or cost user.
To keep safe from this kind of malicious file we recommend user obey the safety precautions as following :
 
* Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Be careful on clicking shorten URL.
4. Download applications from its official site directly.

INCA Internet (Security Response Center / Emergency Response Team)  provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.
 
* nProtect Anti-Virus/Spyware 3.0 diagnosis screen

- Trojan-Clicker/W32.Agent.802816.E

7/13/2011

Microsoft Security Bulletin Summary for July 2011

1. Introduction

Microsoft (MS) regular security updates were released for July 2011.
Strongly recommended general user updates to be safe from the vulnerabilities through updating Windows OS security Update for Bluetooth, Microsoft Visio, Windows kernel-mode drivers, Client Remote Code Execution.

Microsoft Security Bulletin Summary for July 2011
 http://www.microsoft.com/technet/security/bulletin/ms11-jul.mspx

2. Updates details 

[Critical]
[MS11-053] Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220)

Vulnerability

Bluetooth Stack Vulnerability - CVE-2011-1265

This security update resolves a privately reported vulnerability in the Windows Bluetooth Stack. The vulnerability could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability only affects systems with Bluetooth capability.

- Reference site

http://www.microsoft.com/technet/security/bulletin/MS11-053.mspx

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[Important]

[MS11-054] Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)

Vulnerabilities

Win32k Use After Free Vulnerability - CVE-2011-1875
Win32k Use After Free Vulnerability - CVE-2011-1876
Win32k Use After Free Vulnerability - CVE-2011-1877
Win32k Use After Free Vulnerability - CVE-2011-1878
Win32k Use After Free Vulnerability - CVE-2011-1879
Win32k Null Pointer De-reference Vulnerability - CVE-2011-1880
Win32k Null Pointer De-reference Vulnerability - CVE-2011-1881
Win32k Use After Free Vulnerability - CVE-2011-1882
Win32k Use After Free Vulnerability - CVE-2011-1883
Win32k Use After Free Vulnerability - CVE-2011-1884
Win32k Null Pointer De-reference Vulnerability - CVE-2011-1885
Win32k Incorrect Parameter Allows Information Disclosure Vulnerability - CVE-2011-1886
Win32k Null Pointer De-reference Vulnerability - CVE-2011-1887
Win32k Null Pointer De-reference Vulnerability - CVE-2011-1888


This security update resolves 15 privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.

◈ Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site

http://www.microsoft.com/technet/security/bulletin/MS11-054.mspx


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[Important]
[MS11-055] Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)


Vulnerability


Microsoft Visio Insecure Library Loading Vulnerability - CVE-2010-3148

This security update resolves a publicly disclosed vulnerability in Microsoft Visio. The vulnerability could allow remote code execution if a user opens a legitimate Visio file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

◈ Affected Software


- Visio 2003 Service Pack 3

- Reference site

http://www.microsoft.com/technet/security/bulletin/MS11-055.mspx


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[Important]
[MS11-056] Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)


Vulnerabilities

CSRSS Local EOP AllocConsole Vulnerability - CVE-2011-1281
CSRSS Local EOP SrvSetConsoleLocalEUDC Vulnerability - CVE-2011-1282
CSRSS Local EOP SrvSetConsoleNumberOfCommand Vulnerability - CVE-2011-1283
CSRSS Local EOP SrvWriteConsoleOutput Vulnerability - CVE-2011-1284
CSRSS Local EOP SrvWriteConsoleOutputString Vulnerability - CVE-2011-1870


This security update resolves five privately reported vulnerabilities in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS). The vulnerabilities could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.


◈ Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2


- Reference site

http://www.microsoft.com/technet/security/bulletin/MS11-056.mspx

7/07/2011

[Material] Repackaged FastRacing game application leaks your smartphone information

1. Introduction

Recently, Android malicious applications are rapidly growing and smartphone security threats are getting bigger.
To generate malicious application, "Repackaging", injecting malicious function in normal application, is the most widely used techniques.
Furthermore, this malicious application can steal user information.
So, users using Android device need special attention about prevalent malicious file.

2. Spreading path and symptoms of infection

This malicious application, an Android game application named “FastRacing”, is a repackaged type including malicious code, and needs SDK version 1.6 or higher.

After the installation is complete, it can behave following malicious behaviors.
 
※ Possible malicious behaviors

- Collects smartphone information
- Collects send / received call list
- Collects SMS information
- Sends collected log file as a .TXT form to external URL.
- Sends SMS
- Tries to make a call
- Installs and removes application
- Behaves as a bot
- Access GPS information

In case of this kind of repackaged malicious application, it spreads via black market and 3rd party market, it shows permission requirement screen on installation.


 
* Permission explanation in Androidmanifest.xml

- android:name="android.permission.INTERNET"
-> Permission for using internet
- android:name="android.permission.VIBRATE"
-> Permission for vibration
- android:name="android.permission.ACCESS_NETWORK_STATE"
-> Permission for access network
- android:name="android.permission.READ_PHONE_STATE"
-> Permission for reading phone’s state
- android:name="com.android.vending.BILLING"
-> Permission for billing
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
-> Permission for writing to external storage
- android:name="android.permission.ACCESS_COARSE_LOCATION"
-> Permission for access location, Cell-ID and WIFI
- android:name="android.permission.ACCESS_FINE_LOCATION"
-> Permission for access GPS
- android:name="android.permission.RECEIVE_SMS"
-> Permission for receive SMS
- android:name="android.permission.SEND_SMS"
-> Permission for SMS sending-related rights
- android:name="android.permission.READ_SMS"
-> Permission for SMS reading-related rights
- android:name="android.permission.CALL_PHONE"
-> Call-related rights
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
-> Permission for outgoing call
- android:name="android.permission.DELETE_PACKAGES"
-> Permission for package deletion
- android:name="android.permission.INSTALL_PACKAGES"
-> Permission for package installation
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
-> Permission for background task after reboot.

When the installation is completed, you can play the game and hard to find the status being infected actually.




* Analysis of malicious behavior in background task

After the installation, this malicious application will perform following various malicious behaviors.

* Collects information: IMEI, IMSI

This following figure describes collecting IMEI, IMSI information on certain condition.
 

* Collects information: outgoing, incoming call history

This following figure describes collecting outgoing, incoming call history information on certain condition.
 

As the figure above, with the underlined permission, “android,intent.extra.PHONE_NUMBER”, which will shift whole collected numbers to "zjphonecall.txt". In case of received call history, however, can be saved depending on the condition of Bean Class.

* Collects information: concerning

This following figure describes collecting SMS information on certain condition.
 

Real sender number, displayed number, and contents are will be saved to "zjsms.txt".

* Sends collected log file to external URL.

This following figure describes sending collected SMS, call history to external site.
 

In the upper left figure, the path in red box means the place that collected files are existed. URL path, to be uploaded, is in blue box. Each path is generated with a combination of each reference.

* Sends SMS

This following figure describes trying to send collected SMS information.
 

* Tries to make a call clandestinely
 

This following figure describes trying to make a call.
 

Making a call function is implemented with red box area after referring blue box area, trying to make a call secretly in above figure.

* Installs and removes application
 

This following figure describes about installing and removing applications.
 

While installing and removing, the biggest feature is that it doesn’t contain rooting function against previous malicious applications, also in the part create logging internally.

* Performs as a bot
 

Bot: Internet bots, also known as web robots, WWW robots or simply bots, are software applications that run automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human alone.

In case of this application, instance Bean, registered as receiver, inherited BroadcastReceiver and performs as a bot. At this moment, it will work four malicious behaviors, "Sends collected log file as a .TXT form to external URL, Sends SMS, Tries to make a call and Installs and removes application", we mentioned above.

Furthermore, these malicious functions will be activated after inherited Service Class to work confidentially.

* Accesses GPS information

This following figure describes about access GPS information.
 

Permission and class, underlined above, help application access GPS information, and it can work as a bot function to make great damage.

3. How to prevent.

In case of spreading malicious application recently, they are trying to infect smartphone with various techniques like "Repackaging". As described above, there are a lot of threats which can be emerged. In this case, for ordinary users, it’s very difficult to diagnose that what’s going on his smartphone.

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.
  
Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.