This script is used by hundreds of thusands of sites and is quite popular in the WordPress theming community. It was discovered last month that a vulnerability existed within certain versions of the script (http://code.google.com/p/timthumb/issues/detail?id=212). If you are using a WordPress theme with your mobile WordPress web site then it is highly likely that the Timthumb WordPress Hack can be exploited on your site (depending on when you last updated your theme). The author of the Timthumb script has provided a fix that you should apply to your site now.

It’s Not Personal

Most hacked sites are just black hat SEO scam artists trying to increase their own site ranking for whatever purposes. It’s not personal so don’t panic if you find you have been hacked. Don’t take it personally, they are not out to get you in particular.

Sites being hacked have always been a problem, if yours has never been hacked then consider yourself to be lucky. You have to do your best to make sure this kind of thing doesn’t happen but it still can.

Trusteer reports that an Android variant of Spitmo (SpyEye for mobile) has been discovered.

The methodology sounds familiar for those familiar with ZeuS Mitmo and SpyEye Spitmo: infected computers inject a message into targeted netbanks prompting their customers to install software on their phones. Once Spitmo is installed, the SpyEye attacker is able to monitor incoming SMS and to steal MTAN authentication messages.

More from Trusteer: First SpyEye Attack on Android Mobile Platform now in the Wild

On 13/09/11 At 03:22 PM

The suspect applications cover a variety of topics, including horoscopes, farm and pet games/info and the Chinese calendar, to name a few. Below is a screenshot of the permissions requested by one of these applications:

However some of them do not even look like what they claim to be and eventually crash (probably bad programming):

Before the application crashes however (and usually right after its execution), it will retrieve the phone’s International Mobile Subscriber Identity (IMSI) number, then attempts to connect to a remote site:

- h t t p://mobile.tx.com.cn:[...]/client.[...].do
– h t t p://mobile.tx.com.cn:[...]/client/[...].do

to check if the phone’s IMSI already exists (at time of writing, the remote sites were still accessible).

If the application isn’t able to access the remote site, or the site somehow returns an error response, it will proceed to send out an SMS message.

The SMS sending component first determines the phone’s subscriber ID, then depending on the retrieved information, it will select a different recipient number that it will send the message to.

The SMS body contains the following format:

- 99# [ IMSI ]#android#[ app_specific_string ]

As of the moment, we’re still investigating the implications of the application’s behavior; this may or may not be another example of fraudulent SMS registration for services. Nevertheless, the fact that it automatically sends out an SMS with the phone’s IMSI ID without the user’s awareness or consent is something that is not very desirable.

This is aside from the possible charges incurred and and unwanted identification of the phone’s number (when the other party receives the message).

We will detect these applications as Riskware:Android/MobileTX.A.