The last malware inside the Android Market, dubbed Plankton, has been discovered by the same team which discovered DroidKungFu led by Xuxian Jiang, Assistant Professor at North Carolina State University. Although the brand new malware does not root the device, it has the bad habit to hide itself inside familiar apps related to the popular game Angry Birds. The suspected apps were removed on 6/5/2011, but since the malware leverages a new evasion technique which allowed it to stay in the market for more than 2 months without being detected by current mobile anti-malware software, but being downloaed more than 100.000 times.
Plankton is included in host apps by adding a background service: when the infected app runs, it will bring up the background service which collects information, including the device ID as well as the list of granted permissions to the infected app, and send them back to a remote server discovered by Sophos to be hosted in the Amazon Cloud.
The server replies with a URL that is used to download an additional JAR file with custom code that is loaded by the downloader.
Once the JAR file is downloaded, Plankton uses a technique for loading additional code from non-Market websites demonstrated by Jon Oberheide about a year ago, providing a potential attacker with a method of circumventing checks of application functionality by Google or by another Android Market provider.
The downloaded code launches another connection to the Command server and listens for commands to execute.
Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.
As a consequence the pressure on Google is building on two fronts: on one side, users are demanding better security and on the other side security vendors are asking for better operating system interfaces to make security software more effective against the ever-increasing tide of Android malware.
- Plankton malware drifts into Android Market (nakedsecurity.sophos.com)
Today some more details about the Citi breach were revealed and it looks like it is not connected with the RSA breach.
The investigation is still in place, but data collected so far show the kind of attack performed is pretty much more “traditional” then a SecureID clonation: the attackers were able to bypass the perimeter security systems by logging on the site reserved for credit card customers (but no one has explained so far how) were they were able to exploit some vulnerabilities on the Home Banking Web Site.
Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.
It looks like application and database security is a curse and a bless for the infosec arena. Although not fully mature in my opinion, it is one of the most promising sectors (in which there are grand maneuvers under way by the vendors), but in the same way, application in(security) has been the indirect reasons for several events this year: Sony (in some of the suffered breaches) and Epsilon have been victims of SQL Injection, and if for a moment we forget the breaches (real leading actors of this 2011) and pass to consider malware, we must necessarily mention LizaMoon which has flooded an impressive number of databases all over the world with SQL Injection, infecting more than 1,500,000 URLs.
Unfortunately these kinds of attacks are not simple exercises in style but are often the first stage of more complex Cybercrime operations. If the stolen Data immediately usable (such as Credit Card Numbers and corresponding CVV codes), they are sold in the Black Market Bazaar. In other circumstances, when the stole information is not enough to gain immediate profit, the targets become victims of tailored spear-phishing campaigns (which could potentially last for several years) aimed to gain the missing pieces of the puzzle (read information) necessary to perform the malicious actions.
That is the reasons why, if not already done, Enterprises need to make application security a key foundation for the development of secure business application and services: educating the developers with secure development guidelines, implementing adequate countermeasures with Web Application/Database Firewall, periodically probing the security level of the infrastructure with Vulnerability Assessment and Penetration Test and, last but not least, performing a constant patching.
This corresponds to implement an application oriented modern form of the Deming Cycle, more poetically summarized by the expression “performing Application Housekeeping”.
- Application Security: What’s Next? (paulsparrows.wordpress.com)
- Citigroup Breach and RSA Breach: A Possible Connection? (paulsparrows.wordpress.com)