Instant Messaging Password Stealer Available From Major Download Sites

| | Comments (4)
Generally, download sites do a good job of keeping potentially undesirable programs off their network. You might see the oddly titled "family keylogger" program and wonder about the ethics of such a utility, but leaving those rather dubious grey areas aside, mostly things take care of themselves.

However, while browsing the cnet.download.com site today, I happened to find something rather peculiar in their "Network Monitoring Tools". Namely, this:

apheve101.jpg
Click to Enlarge

As soon as I saw the creator description of the program, I knew something wasn't quite right:

"Apheve is a great piece of software that has the ability to disguise itself as multiple IM programs including MSN, Skype, and BT Yahoo.This is perfect if a visitor is coming round who wants to access their IM account."


Wait, it "disguises" itself as multiple IM programs? And its name sounds like a bizarre slang version of the word "thieve" (A Pheve)?

Oh dear.

As you might expect, the program is available to download on numerous sites, including CNet Asia and ZDNet UK. Up for grabs since May 2008, the number of downloads is somewhat alarming:

18,214 download.cnet.com


9186 CNET Asia

455 ZDNET.co.uk

Not including other sites related to the above URLs, that means there's a grand total of at least 27,855 people (possibly) running round trying to steal your IM logins. (Check out the comments for more thoughts on what all those people may....or may not....be using the program for).

Did I say steal? Yes, I did. Presenting.... "Apheve":


aphevez0.PNG

Quite simply, you select the IM client of your choice - MSN Messenger, Yahoo IM or Skype - and hit the "Start!" button. Then you retreat to a safe distance and let your victim use the PC. As we've seen before, these kinds of programs work great for scammers in net cafes, libraries and schools / universities.

The victim will see one of these:

aphevemsn.PNG
Click to Enlarge

apheveyahoo.PNG
Click to Enlarge

Of course, both of those IM boxes are entirely fake. Should you enter your login details, you'll be shown an error message and wander away from the computer feeling vaguely annoyed. Meanwhile, the attacker jumps onto the same computer and clicks on the apparently harmless looking fake icon in the Taskbar - in this case, a picture of a DVD / CD:

fakeaphevetooltip.PNG

....and is presented with your login information, courtesy of a nifty popup box:

apheveskype2.PNG
Click to Enlarge

Is it just me, or does that go a little beyond the scope of "Monitoring Software"?

The program has absolutely no reason to exist other than harvesting login credentials.

Even the choice of targets seems designed to cause as much trouble as possible - Skype accounts will probably have unused call credit stored against them, Windows Live accounts may well be linked to EMail as well as IM, potentially giving access to yet more personal information, logins etc.

Any claim by the creator that this is intended for "network security" is fairly blown out of the water when we check out his Youtube channel, only to find...

apheve4.jpg
Click to Enlarge

...he's promoting it with the title "How to hack Msn, Skype or Yahoo with Apheve 1.1", with "Apheve pro - The ultimate hacking tool" in the description.


The only good thing here is that due to the program being around for a while, the fake versions of Skype, Windows Live Messenger etc look rather outdated and not very much like the real, current versions. The DVD / CD icon in the corner could also be a giveaway, though of course you can change that if you really want to.

We've EMailed the Downloads team, and will post again when we hear back from them.


Given the rather single-minded purpose of this application, I'm a little surprised it managed to squeeze through the cracks. The above download sites may well be "Tested Spyware Free", but they're currently not "Tested Horrible IM Stealing Piece of Junk Free".

Hopefully that might change shortly...

4 Comments

"Not including other sites related to the above URLs, that means there's a grand total of at least 27,855 people running round trying to steal your IM logins."

eh, I disagree with this assumption. I highly doubt that each download directly correlates with a person "running round trying to steal your IM login".

case in point, you downloaded the app but presumably aren't using it maliciously. I realize that you could also argue the opposite, that one download could easily correlate to any number of malicious users, but c'mon....

Interesting app either way, enjoyed your write up.

Fair point, I've added in a "possibly".

Having said that, it's a bit of a niche product...random casual users probably aren't going to go downloading something like this that often, especially as its buried in the Security Monitoring Tools section.

And while I myself might have downloaded it purely to write about it, I doubt many others have nabbed it for non-malicious purposes, given that there doesn't appear to be anyone else on forums, blogs or other sites warning of the danger it poses - or indeed, making any noise about realising its intent then flagging it to the Download websites offering it up.

(Well, there might be but I haven't found any so far!)

Thanks for the comment either way, glad you liked it.

Oh, interesting. I think I saw a few people talking about this on hacking forums and asking for a download link a while ago. If only they'd had the intelligence to google the name of the program they'd have had one in no time lol.

At the risk of sounding overly cynical, I'd have to agree with the assessment that the majority of people who have downloaded this - and the total presented above might only be a very small portion given that we don't know how many sites its available on - are all theiving scumbags who want to grab some logins.

seriously, google "apheve password stealer", "warning apheve" & other combos and all you get is solid pages of videos, hack sites and crack forums all talking about how awesome it is. As pg said, where did all the good samaritans go once they downloaded this thing then realised its actually a multiple client password stealer?

did it eat them?

"did it eat them?"

Now THAT is a feature I'd like to see.

At long as its not on my testbox, of course.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on April 13, 2009 8:14 PM.

More "Facebook Freezers" was the previous entry in this blog.

"No Longer Available..." is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.