About these ads

Archive

Archive for May, 2011

(IN)SecureID

May 31, 2011 11 comments

I just finished reading this interesting article that seems to offer a different view for the attack at Lockheed Martin (actually, a lone voice which does not consider the attack related to compromised seeds), that here it is another bolt from the Blue. As a matter of fact Wired reports that a second Defense Contractor, L-3, has been targeted with penetration attacks leveraging information stolen from the infamous RSA Breach. This information was contained into an E-mail, dated April 6, sent to the 5000 group’s employees. t’s not clear from the e-mail whether the hackers were successful in their attack, or how L-3 determined SecurID was involved.

Protecting our network is a top priority and we have a robust set of protocols in place to ensure sensitive information is safeguarded. We have gotten to the bottom of the issue.

Is the only comment of the company.

This revelation occurs few days after the explosive news pertaining the attack led with similar methods to another Defense Contractor, Lockeed Martin.

Maybe all the defense contractors should have followed the wise example of  Raytheon (another Defense Contractor) which declared to have taken immediate companywide actions in March when incident information was initially provided to RSA customers, to prevent a widespread disruption of their network.

If confirmed, this event is a further corroboration of the fact the real target of the Hackers was not RSA but their customers, event if at this point I wonder if military contractors are the only targets or if they have been the only ones capable to detect the attempts because of their strict security protocols and policies.

Related articles
About these ads
Categories: Security Tags: , , , , , ,

DroidDream is Back!

May 31, 2011 1 comment

There is a new nightmare on the Android Market, and again many Android devices are not going to have a good awakening.

The last security advice for the Google Mobile OS comes from Lookout, which has discovered a new variant of the infamous DroidDream, the first malware conveyed by the Official Android Market capable of infecting at the beginning  of March, according to Symantec, between 50.000 and 200.000 devices.

This time the brand new version, dubbed DroidDreamLight, was found in 26 repackaged applications from 5 different developers distributed in the Android Market. According to Lookout DroidDreamLight is no less than is “noble” predecessor, since was able to affect between 30.000 and 120.000 users.

According to Lookout, the malicious components of DroidDream Light are invoked on receipt of an android.intent.action.PHONE_STATE intent (e.g. an incoming voice call). As a consequence DroidDream Light does not depend on manual launch of the installed application to trigger its behavior.  The broadcast receiver immediately launches the <package>.lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages. It appears that the DDLight is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention.

The list of the infected applications (already removed from Google) is available at the original link. I must confess I could not help noticing the rich amount of “hot” applications, which confirm (unfortunately) to be a lethal weapon for carrying malware.

This event will raise again the concerns about the security policies on the Android Market, and about the apparently unstoppable evolution of the mobile threat landscape which has brought for the Android a brand new malware capable of sending data to a remote server. A further step closer to a mobile botnet even if, at least for this time, with limited capabilities of auto-installing packages,.

I will have to update my presentation, meanwhile do not forget to follow the guidelines for a correct mobile behavior:

  • Avoid “promiscuous” behaviours (perform rooting, sideloading or jaibreaking with caution, most of all in case of a device used for professional purpose);
  • Do not accept virtual candies from unkown virtual individuals, i.e. only install applications from trusted sources, always check the origin and their permissions during installation;
  • Beware of unusual behavior of the phone (DroidDream owes its name to the fact that he used to perform most of its malicious action from 11 P.M to 8 A.M.);
  • Beware of risks hidden behind social Network (see my post of yesterday on mobile phishing);
  • Use security software;
  • Keep the device updated.
Related articles
Categories: Mobile, Security Tags: , , , , , , ,

If Phishing Goes Mobile…

May 30, 2011 5 comments

One of the most surprising things I noticed concerning the Lockheed Martin Affair, was the affirmation contained in the Reuters Article, made  by Rick Moy, president of NSS Labs, indicating that the initial RSA attack was followed by malware and phishing campaigns seeking specific data to link tokens to end-users (an indirect evidence of the same authors behind the infamous RSA breach and the Lockheed Martin attack.

My initial surprise only lasted few seconds, since, this year is showing us a brand new role for the phishing attacks which are more and more targeted to steal corporate sensitive data, and constitute the first level of attack for Advanced Persistent Threats.

At first sight could be quite difficult to believe that users are still tricked by old-school phishing techniques, but a deeper analysis could show in my opinion, a possible (in part psychological) explanation relying on the fact that the users themselves are still used to think to phishing as something targeted to steal personal information (often with pages crafted with gross errors), and seems to be unprepared to face the new shape of phishing which targets corporate information with cybercrime purposes and industrial methods, which definitively means to perpetrate the attack with plausible and convincing methods, and most of all leveraging arguments the user hardly doubts about (I could doubt of an E-mail from my bank asking me to provide my account and credit card number, maybe, most of all in case I am not an infosec professional, I could feel more comfortable in providing my username to a (fake) provisioning portal of my Company).

But my information security beliefs are falling one after the other, and after reading this really interesting article by Adrienne Porter Felt and David Wagner of the University of California (the marvelous LaTeX layout!)  I can only confirm that mobile devices will be next frontier of phishing.

According to this paper the risk of a success of a phishing attack on mobile devices is dramatically greater than traditional devices due to some intrinsic factors such as the smaller size of the screen, the fact that many applications embed or redirect to web pages (and vice versa some or web pages redirect to applications), the fact that mobile browsers hide the address bar, and most of all the absence of application identity indicators (read the article and discover how easily a fake native application can resemble completely a browser page) which makes very difficult to discover if a certain operation is calling a fake application on the device or it is redirecting the user to a fake application resembling a legitimate login form.

Moreover, the intrinsic factors are worsened by (as usual) the user’s behavior: as a matter of fact (but this is not a peculiarity of mobile devices), users often ignore security indicators, do not check application permissions and are more and more used to legitimate applications continuously asking for passwords with embedded login forms and. Last but not least I would add the fact that they are not still used to think to mobile applications as targets of phishing (Zitmo Docet).

Guess what are the ideal candidates for Mobile Phishing attacks? Easy to say! Facebook and Twitter since they are the most common linked applications used by developers to share their creations (the power of free viral marketing!).

Given the speed with which these devices are spreading in the enterprise (see for instance this GigaOM infographic), there is much to worry about in the near future. An interesting solution could be the operating system to support a trusted password entry mechanism. Will SpoofKiller-like trusted login mechanisms be our salvation as the authors of the paper hope?

Related articles
Categories: Mobile, Security Tags: , , , , , , , ,

More Random Thoughts on the RSA Breach

May 28, 2011 6 comments
The X-35, Joint Strike Fighter from Lockheed M...

Image via Wikipedia

Probably it was a quite easy prediction, however it looks like what I suggested on my random thoughts on the RSA Breach has definitively come true: RSA was not the target, probably its customers were.

On this front, the last two days were quite turbulent, and what seemed initially a simple speculation of an attack using compromised SecureID seeds targeted to “a very large U. S. defense contractor”, is revealing to be one of several attacks towards military contractors of U.S. Defense, using the data stolen during the famous breach of March.

According to a source with direct knowledge of the attacks, quoted in the above linked Reuters article:

The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.

In any case EMC, the parent company of RSA, and the other main U.S. defense contractors possibly involved refused to comment.

I was not surprised by these details, more than one month ago I delineated a possible attack scenario which seems to be very close to what happened, at least for Lockheed Martin. Since the token on its own it is not enough to carry on a successful attack (it must be linked to the owner and very often the real password is also combined with a PIN), other combined actions must be performed to obtain the missing pieces of the puzzle.

I suggested a possible scenario of exploiting the weakness of software tokens, for instance by mean of specific keylogger malware to grab user details and the PIN. It is not exactly what happened in case of Lockheed Martin, but the real attack scenario is quite close since a keylogger was involved as well and used to access the intranet and consequently to get access to the internal network: as a matter of fact, for security reasons many companies use a double layer of authentication for remote access and internal resources. In this case the company forced 100.000 users to reset their passwords.

In reality, as stated by Rick Moy, president of NSS Labs, the initial RSA attack was followed by malware and phishing campaigns seeking specific data that would link tokens to end-users, suggesting that the current attacks may have been carried out by the same hackers. And the game is not over.

Unfortunately the use of phishing to lure the users (and to attack an organization for cybercrime purposes) is not surprising as well. Nowadays this technique, to initially target the users with phishing, leading them to download malware, is the “main engine” of APTs (Advanced Persistent Threats) and it is revealing to be the common denominator of the main breaches and huge scale attacks of this annus horribilis for Information Security. The fact that in this circumstance it was used in combination with the duplicated key of SecureID is only the last unedited variant, and I am afraid it will not be the last.

Fortunately, in any serious situation there is always a flash of humor: according to this article of NYT, the intruders had been detected as they were trying to transfer data by security software provided by NetWitness Corporation, a company that provides network monitoring software. Does NetWitness Corporation sound familiar to you? Of course It does indeed! In April, just after the breach, NetWitness was acquired by RSA’s parent company, EMC.

As Morpheus stated: “Fate, it seems, is not without a sense of irony”, and this is worthwhile for Information Security as well.

Related articles
Categories: Security Tags: , , , , , , , ,

It was only a matter of time…

May 26, 2011 13 comments

05/27 Update: Several Sources report that the “large U. S. Defense contractor” hit by the alleged compromised seeds attack could be Lockheed Martin.

It was only a matter of time… And not only of the time necessary to synchronize the RSA Algorithm…

A bolt from the blue! Source report some details of the alleged first attack to a very large U. S. Defense contractor perpetrated by mean of compromised RSA seeds.

Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.

It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.

Fortunately the contractor was able to detect the breach and to manage it, avoiding worst consequences.

But many questions remain unsolved: was this the first attempt? Were all the seeds compromised during the famous breach? For Sure it will not be the last and my sixth sense and one half thinks we will have to get used to this kinds of attacks.

As I told in previous post I am more and more convinced that the final target of the attack was not RSA…

Related articles
Categories: Security Tags: , , , , , ,

Mobile Security: Vulnerabilities and Risks

May 24, 2011 5 comments

Today I took part as speaker to an event organized by my Company concerning Cloud and Mobile security. For this occasion I prepared some slides summarizing some concepts spread all over my blogs.

In my vision (you should know if you follow my blog) mobile vulnerabilties are mainly due to:

  • False security perception by users: they consider their device as a “simple” phone, forgetting they bring a small dual-core in their pockets;
  • “Light” behaviour from users: Sideloading, Jailbreak and Rooting are not good security practices;
  • Consumerization of Devices: well known (partially abused) concept: some mobile devices come from the consumer world and hence do not natively offer enterprise class security or suffer from intrinsic vulnerabilities:
  • Consumerization of Users: many users think they have consumer device so they think they do not deserve enterprise class security measures.

And the risks are:

  • False Security Perception leads to high probabilities of theft or loss of the device, and most of all, of its data;
  • “Light” behaviour from users dramatically increases the probability to directly install malware or surf towards insecure shores…
  • Consumerization of Devices leads to vulnerabilities that may be exploited to access and steal sensitive data or authentication credentials;
  • Consumerization of Users leads the users themselves to adopt imprper habits not appropriate for an enterprise use, which in turn make the device even more vulnerable to malware (i.e. installing non business application, lending it to others, etc.).

How to mitigate the risks?

  • Educate users to avoid “promiscuous” behaviours (no root or sideloading or jaibreak, do not accept virtual candies from unkown virtual persons);
  • At an organizational Level, define security policy for managing (un)predictable events such as device thieft or loss;
  • Beware of risks hidden behind social Network;
  • Use (strong) Data Encryption;
  • Do not forget to use security software;
  • Enforce Strong Authentication;
  • Keep the device update.

This in turn corresponds to enforce a device management policy in which mobile devices are treated like “traditional” endpoints (but they will sone become tradional endpoints).

You may find the slides on SlideShare… They are mainly in Italian but if you want, ask me and I will provide an additional translated version.

Good Reading!

Categories: Mobile, Security Tags: , , , , , , ,

Social Reputation On Sale

May 21, 2011 1 comment

Would you buy an used car from a Girl Like That? Mmh… probably she is not the best person for this kind of deal, but I grant you that if you wish to buy some pounds of social reputation on sale she is just the right (virtual) person. You only need to go on Twitter and search for @JuliannaAlln to understand why…

Some hours after publishing my last post about Mr. Obama’s speech and its implications for Revolution 2.0 (thanks to @brunehel for suggesting this intriguing name) I received a strange mention from @JuliannaAlln:

@paulsparrows: I just saw your tweet about Linkedin. This site is great for adding LinkedIn connections: http://is.gd.dfnfQV

Tweet about Linkedin? It sounded strange to me, even if in a certain sense the last tweet mentioned Social Networks, it had (nearly) nothing to deal with LinkedIn.

I could not help noticing the attractive young girl on the picture (a typical stereotype of social honeypots), and consequently at first glance I immediately thought about the affair of @PrimorisEra or Robin Sage. Anyway, since it is really unlikely that my unconfessable secrets may be of any interest to someone for the purpose of espionage or whatever else, this idea without rhyme or reason only lasted a few seconds: the truth is far less romantic and is just a click far from the link contained in the tweet.

As a matter of fact the link inside the tweet brings you to Viralso, an Internet Marketing Agency, whose main course consists in selling Social Reputation: with “only” 89 bucks per month you may choose to reach the mentionable amount of 2400 LinkedIn connections (with a Delivery Rate of 200 per Month) or 2000 Twitter followers (understandably, inventing building a social profile on LinkedIn where you must prove the references of your skills is much harder). If instead you want to surprise your friends on Facebook with an endless array of friends, there is no problem at all: with “only” 89 bucks per month 500 new friends (per month as well) will bring you to the noticeable number of 2400 friends. In any case you will be able to become a “social black hole (in the sense that you will be able to attract anything to your profile) with 100% satisfaction guaranteed.

Analyzing the matter more seriously, I find that this is only the latest implication of the polymorphic main concern of social networks which is Reputation, from a security perspective (may you really trust who you are talking to?) but also from an individual and (real) social perspective. In particular from an individual perspective the social reputation (and social impact and credibility) is not built upon what one individual is (because the real identity is hidden behind an avatar) rather than upon the number of friends, followers or contacts, one individual is able to show, even if there is no way to prove the real identity of them. If I cannot show or prove who I am I can only use indirect tools (i.e. my contacts) to build my reputation.

The worrying thing relies on the fact that apparently there is no difference between personal and professional social networks: I might also understand the presumption by “virtual flirt hunters”, of flaunting thousands of Facebook friends to impress unlikely preys; unlikely I hardly understand how a huge amount of fake professional contacts on LinkedIn could work, in a social networks where the references, at least on paper, can be verified. Maybe even for this reason the LinkedIn IPO was far beyond the most optimistic expectations (seems to be back at ten years ago).

Even if the agency claims that:

We do not incentivize people to Become a Connection on LinkedIn

We use proprietary marketing techniques to find “real people” that will become a LinkedIn connection.

the qoutes around the term “real people” are more meaningful than a thousand words (and now that I know that the marketing process is based on the strategies used by President Obama, and, most of all, by Britney Spears I feel much more confortable). Actually I really would be very curious to know how the not better defined “proprietary marketing techniques” are able to build the fake profiles, and to check, most of all on LinkedIn, their level of (social) reliability, anyway I must confess that rather than trying it, I much prefer to spend my bucks (or better my Euros, or Euri how we say in Italy) for a real social life, for instance with some real friends and a fresh beer…

Categories: Social Networks Tags: , , , , , ,

Tweets Of Democracy

May 19, 2011 7 comments
Official presidential portrait of Barack Obama...

Image via Wikipedia

Today President Obama held his speech on the Middle East announcing a new strategy (and new investments) for the Middle East aimed to encourage the process of Democratization in place. I gave a look to the entire speech and noticed some assertions particularly meaningful which implicitly admit the crucial role that new technologies played in the past months (and will probably play into this kind of new Middle East Mashall Plan) as triggers (and drivers) for backing the fights for human rights.

I used the term Mobile Warfare to stress the role that (consumer) mobile technologies and social networks played in the events that changed the social and political landscape in the Mediterranean Africa and more in general in the Middle East, coming to conclusion that the impact of these new technologies is defining a new democracy model which will have to be taken seriously into consideration by all those governments which still put in place severe limitations to human rights.

So, I was definitively not surprised when I noticed this assertion on Mr. Obama’s speech:

… But the events of the past six months show us that strategies of repression and diversion won’t work anymore. Satellite television and the Internet provide a window into the wider world – a world of astonishing progress in places like India, Indonesia and Brazil. Cell phones and social networks allow young people to connect and organize like never before. A new generation has emerged. And their voices tell us that change cannot be denied…

Which implicitly admits the role of Mobile Warfare: strategies of repression and diversion will not work anymore and the weapons to fight repression are just Cell Phones and Social Networks with which young people (usually most involved in the protests) can connect and not only organize life like never before but also realize that there is a world  outside the window…  On the other hand, particularly in case of Egypt, Social Network literally played a primary role in the protest, since one of the leaders was Mr. Wael Ghonim (expressly quoted by Mr. Obama’speech), a young Google Executive.

And the freedom is not only a matter of elections but also of access to new technologies:

In fact, real reform will not come at the ballot box alone. Through our efforts we must support those basic rights to speak your mind and access information. We will support open access to the Internet, and the right of journalists to be heard – whether it’s a big news organization or a blogger. In the 21st century, information is power; the truth cannot be hidden; and the legitimacy of governments will ultimately depend on active and informed citizens.

This implies that the plan that U.S. and E.U. are going to deploy for the Middle East (a comprehensive Trade and Investment Partnership Initiative in the Middle East and North Africa) will also involve funding aimed to promote the access to new technologies for facilitating the sharing of information (and the conseguent hactivism and psyops operations), a factor which the recent events have shown to become synonym of democracy. Also because, according to Cisco predictions, if in 2010 there were 12.5 billion devices connected to the Internet, there will be 25 billion by 2015, and 50 billion by 2020, and consequently it is really hard to think that filters, blocks and any other form of (social, political and technological) repression in the Middle East will stop this tide.

Related articles
Categories: Mobile Tags: , , , , , , , , ,

The Antivirus is Dead, Long Live the Antivirus!

May 18, 2011 1 comment

The Google Chromebook (that is the first Chromium OS powered devices) was presented few days ago (and is ready to reach our shelves for the half of June), but only yesterday I accidentally came across an interesting article (which I had already reported in yesterday’s post) which led me to several thoughts concerning the future of endpoint security, or better, how endpoint protection technologies will adapt themselves to the rapidly mutating landscape, which is shifting from an endpoint-centric to a cloud-centric model. My personal confessions of a dangerous mind derive from Google’s assertion that: Chromebooks have many layers of security built in so there is no anti-virus software to buy and maintain. Moreover, the fact that data reside mainly on the cloud moves the data protection requirements towards the cloud rather than on the endpoint.  If this is true many security giants (such as Intel McAfee, Symantec, Trend Micro, etc.) focalized on endpoint would seriously have to worry about.

The core of the Chromium OS is represented by the Chrome web browser. Through a Web Interface, and most of all thanks to HTML5, Open Web Platform APIs and Google Chrome Extensions, the users will be able to access virtually any kind of applications from the cloud.

What does it mean from a security perspective? The Security Overview document describing the Security Mechanisms adopted by the Chromium OS is clear: the operating system has been designed from the ground up with security in mind, security as an iterative process focused on for the life of the operating system. As a matter of fact, since the OS is browser-centric, the security design efforts have been concentrated on this aspect starting from the foundation, that is the Operating Systems. Several  of the weapons adopted by Chromium OS include:

  • OS Hardening through techniques of Process sandboxing (at OS and browser level), toolchain hardening, Kernel hardening and configuration paring, Additional file system restrictions (Read-only root partition, tmpfs-based /tmp, user home directories without executables, privileged executables, or device nodes;
  • Modular browser with sandboxes for media and HTML parsers;
  • Protection for Phishing, XSS and other Web vulnerabilities;
  • Secure autoupdate protecting itself from attacks by mean of Signed updates downloaded over SSL, checking of Version numbers of updates and verification of the integrity of each update on subsequent boot, by man of Verified Boot process;

That said, is really true that Chromium OS will be the death knell for antivirus?

Before answering this 10 million Dollars question (rigorously Monopoly Dollars) there is a due premise that must necessarily be done: classifying an endpoint protection technology as Antivirus is maybe a little bit reductive and anachronistic. The new generations of threats (the so called blended threats or APTs) make use of several combination of attack vectors ranging from malicious phishing web sites to 0-day OS or application vulnerabilities. This has implied in the last two/three years that the concept of multi-layered protection has found fertile ground in the endpoints as well (as previously done in the network with UTM/XTM technologies) since the new threats are not simple malware but complex combinations of attack vectors which need different layers of protections. A simple antivirus does not exist anymore in a corporate context, but has been substituted by a set of protection technologies combining Anti-Malware, Personal Firewall, Host Intrusion Prevention, Encryption, Data Leackage Prevention, Compliance.

With this premise in mind there are some points for which, in my opinion, endpoint protection technologies will be still needed (at least for version 1.0);

  • Some Critical voices stress the fact that Google will provide an SDK dedicated to write native applications.  Although Google has probably done everything to secure those apps with their double sandbox design, in theory will be possibility to install malicious code or simply bugged code, unaware vector of vulnerabilities in the system (or in the cloud).
  • Since the OS is browser-centric, protection of the browser becomes a critical factor. The security design document states that the web browser provides Protection for Phishing, XSS and other Web vulnerabilities, but the description is not so satisfying: “Phishing, XSS, and other web-based exploits are no more of an issue for Chromium OS systems than they are for Chromium browsers on other platforms.  The only JavaScript APIs used in web applications on Chromium OS devices will be the same HTML5 and Open Web Platform APIs that are being deployed in Chromium browsers everywhere.  As the browser goes, so will we”. Only one simple consideration about this point: a vulnerability on the Webkit rendering engine caused a serious security flaw on the Android and Chrome Browser (and on the Safari Browser and Apple And Blackberry smartphone browsers as well during the last Pwn2Own 2011). Moreover phishing has registered a tremendous growth in the last months as the initial vector for perpetrating complex multi-layered attacks. I am not aware of the fact that chrome users have been less affected than the users of other browsers.
  • There is also another important point: the security overview document identifies two possible kinds of adversaries: opportunistic adversaries and dedicated adversaries. The first kind just tries to compromise an individual user’s machine and/or data, the second kind may target a user or an enterprise specifically for attack. According to Google version 1.0 will be focuses on dangers posed by opportunistic adversaries. This means that, at least for the first version, the Chromium OS will not offer countermeasures targeted to mitigate network-level attacks.

So what are the conclusions? Maybe the death knell for Antivirus technologies (or would be better to say endpoint protection technologies) is still far, rather I believe more realistically that endpoint security technologies will have to be redefined (or better tailored) to better fit the new scenario in which the endpoints act as web-centric gates for the cloud. Maybe antivirus will be no more necessary, but security efforts on the endpoints will have to be directed to protect this new role from OS and web application vulnerabilities (see authentication tokens in clear), malicious web sites, phishing, data loss/leakage (even if the Chromium OS already offers some native features in this direction), and, last but not least, compliance issues (for an enterprise usage). How this will be achieved? Simple, by mean of cloud based security services…

Related articles
Categories: Security Tags: , , , , ,

Nine Months Of Living Dangerously

May 18, 2011 3 comments

The title of this post is not a subset of the famous Peter Weir’s MovieThe Year Of Living Dangerously“, featuring Mel Gibson and Sigourney Weaver, but rather refers to the dangerous months which the Android is living, from the second half of 2010 to this first half of 2011, which saw a dramatic increase in Android Malware.

I enjoyed in summarizing in a single picture the mobile malware which affected Google Mobile OS from August 2010 to the present day. As shown the results are not encouraging and seems to confirm, in a qualitative form, the 400% increase in mobile malware (in six months) recently stated by Juniper Networks: un the second half of 2011 we assisted mainly to variants of the first Trojan. In the first half of 2011 the landscape has become much more complicated with mobile malware tailored “for different needs”.

So far the threats are can be divided essentially into two categories:

  • Malware capable of stealing data, sending them to a remote C&C, which in a mobile platform may have worst consequences since it may send remote data to a C&C Server);
  • Malware capable of sending SMS to premium rate numbers without the user permission (and awareness).

In many cases the malware was downloaded by parallel markets (most of all from China and Russia), with often the pornography acting like a decoy for the unfortunates, hence showing the risks connected with sideloading, that is the practice to enable installation of applications downloaded from external markets.

Two examples were particularly meaningful: the example of Geinimi, which showed all the features of a Botnet. And the example of DroidDream which bypassed all the security control of Android Market and infected something between 50.000 and 200.000 users according to Symantec and were remotely removed by Google, thus prefiguring a new security model which remotely manages the security functions of endpoint (and everything suggests that this trend will soon spread to more traditional endpoints: just today I stumbled upon this really interesting article).

By the way… Just today, three German security researchers discovered a serious flaw on the ClientLogin Authentication Protocol affecting almost all the Android powered devices… Ok it is not a malware, but the security concerns for the Google Mobile Operating System are more relevant than ever…

Related articles
Categories: Mobile, Security Tags: , , , , , , , , , ,
Follow

Get every new post delivered to your Inbox.

Join 1,995 other followers