About these ads

Archive

Posts Tagged ‘Android Market’

Mobile Antiviruses: Malware Scanners or Malware Scammers?

November 23, 2011 2 comments

Few days ago Juniper Networks has released a report on the status of Android Malware. The results are not encouraging for the Android Addicted since they show a 472% increase in malware samples since July 2011 (see the infographic for details).

This does not surprising: already in May in its annual Malicious Mobile Threats Report, report, Juniper had found a 400% increase in Android malware from 2009 to the summer of 2010. This trend is destined to further grow since the Juniper Global Threat Center found that October and November registered the fastest growth in Android malware discovery in the history of the platform. The number of malware samples identified in September increased by 28%. whilst October showed a 110% increase in malware sample collection over the previous month and a noticeable 171% increase from July 2011.

As far as the nature of malware is concerned, Juniper data show that the malware is getting more and more sophisticated, with the majority of malicious applications targeting communications, location, or other personal information. Of the known Android malware samples, 55%, acts as spyware, 44%, are SMS Trojans, which send SMS messages to premium rate numbers without the user’s consent.

The reason for this malware proliferation? A weak policy control on the Android market which makes easier for malicious developers to publish malware applications in disguise. From this point of view, at least according to Juniper, the model of Cupertino is much more efficient and secure.

Easily predictable Google’s answer came from the mouth of Chris DiBona, open source and public sector engineering manager at Google. According to DiBona, Open Source, which is widely present in all the major mobile phone operating systems, is software, and software can be insecure. But Open Source becomes stronger if it pays attention to security, otherwise it is destined to disappear. In support of this statement he quotes the cases of Sendmail and Apache, whose modules which were not considered enough secure disappeared or came back stronger (and more secure) than ever.

But DiBona’s does not stop here (probably he had read this AV-test report which demonstrates that free Android Antimalware applications are useless): “Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.”

From this point of view Google hopes that Ice Cream Sandwich will lead Android Security at the next level even if some features are raising security concerns among Infosec professionals.

About these ads

First Security Breach In The App Store

November 8, 2011 Leave a comment

It looks like the Judgment Day for iOS has finally arrived. Until today the robustness of the AppStore has always been considered one of the strengths of the Apple Model: unlike the Android Market, which is constantly under attack for its weak security model that allowed too many malicious users to upload malicious applications, a strict control policy had prevented, at least so far, the same destiny for the mobile Apple Application.

Unfortunately Charlie Miller, an old acquaintance of the Apple Supporters, thought that winning three Pwn2Owns in the last four years (2008, 2009 and 2011) exploiting practically every Apple Vulnerability was not enough. So he decided consequently to attack Cupertino directly inside its AppStore security model.

The story begins early last year, after the release of iOS 4.3 when the researcher became suspicious of a possible flaw in the code signing of Apple’s mobile devices.

As stated in the original article by Forbes:

To increase the speed of the phone’s browser, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.)

The next step was to discover a bug that allowed to expand that code-running exception to any application, and that is exactly what he did, but still this was not enough.

After discovering the bug, he submitted an App to the App Store exploiting the vulnerability. The App was approved and behaved as expected (actually a behaviour to which the victims of Android malware are quite familiar): the app was able to phone home to a remote computer downloading new unapproved commands onto the device and executing them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.

This method will be presented at the SysCan Conference in Taiwan next week even if a video demonstrations of the exploit is already available.

Last but not least: as a reward for discovering the bug, Apple has decided to revoke to Miller the Developer’s License.

Probably Android users will be the happiest to learn that, as stated by Miller:

Android has been like the Wild West. And this bug basically reduces the security of iOS to that of Android.

At least for one thing (security), iOS and Android are identical.

Looking Inside a Year of Android Malware

August 14, 2011 2 comments

As you will probably know my Birthday post for Android Malware has deserved a mention from Engadget and Wired. Easily predictable but not for me, the Engadget link has been flooded by comments posted by Android supporters and adversaries, with possible trolls’ infiltrations, up to the point that the editorial staff has decided to disable comments from the article. The effect has been so surprising that someone has also insinuated, among other things, that I have been paid to talk s**t on the Android.

Now let me get some rest from this August Italian Sun and let me try to explain why I decided to celebrate this strange malware birthday for the Android.

First of all I want to make a thing clear: I currently do own an Android Device, and convinced, where possible, all my relatives and friends to jump on the Android. Moreover I do consider the Google platform an inseparable companion for my professional and personal life.

So what’s wrong? If you scroll the malware list you may easily notice that the malware always require an explicit consent from the user, so at first glance the real risk is the extreme trust that users put in their mobile devices which are not considered “simple” phones (even if smart), but real extensions of their personal and professional life.

You might say that this happens also for traditional devices (such as laptops), but in case of mobile devices there is a huge social and cultural difference: users are not aware to bring on their pocket dual (very soon four) cores mini-PCs and are not used to apply the same attention deserved for their old world traditional devices. Their small display size also make these devices particularly vulnerable to phishing (consider for instance the malware Android.GGTracker).

If we focus on technology instead of culture (not limiting the landscape to mobile) it easy to verify that the activity of developing malware (which nowadays is essentially a cybercrime activity) is a trade off between different factors affecting the potential target which include, at least its level of diffusion and its value for the attacker (in a mobile scenario the value corresponds to the value of the information stored on the device). The intrinsic security model of the target is, at least in my opinion, a secondary factor since the effort to overtake it, is simply commensurate with the value of the potential plunder.

What does this mean in simple words? It means that Android devices are growing exponentially in terms of market shares and are increasingly being used also for business. As a consequence there is a greater audience for the attackers, a greater value for the information stored (belonging to the owner’s personal and professional sphere) and consequently the sum of these factors is inevitably attracting Cybercrooks towards this platform.

Have a look to the chart drawing Google OS Market share in the U.S. (ComScore Data) compared with the number of malware samples in this last year (Data pertaining Market Share for June and July are currently not available):

So far the impact of the threats is low, but what makes the Google Platform so prone to malware? For sure not vulnerabilities: everything with a line of code is vulnerable, and, at least for the moment, a recent study from Symantec has found only 18 vulnerabilities for Google OS against 300 found for iOS (please do no question on the different age of the two OSes I only want to show that vulnerabilities are common and in this context Android is comparable with its main competitor).

Going back to the initial question there are at least three factors which make Android different:

  1. The application permission model relies too heavily on the user,
  2. The security policy for the market has proven to be weak,
  3. The platform too easily allows to install applications from untrusted sources with the sideloading feature.

As far as the first point is concerned: some commenters correctly noticed that apps do not install themselves on their own, but need, at least for the first installation, the explicit user consent. Well I wonder: how many “casual users” in your opinion regularly check permissions during application installation? And, even worse, as far as business users are concerned, the likely targets of cybercrime who consider the device as a mere work tool: do you really think that business users check app permission during installation? Of course a serious organization should avoid the associated risks with a firm device management policy before considering a wide deployment of similar devices, most of all among CxOs; but unfortunately we live in an imperfect world and too much often fashion and trends are faster (and stronger) than Security Policies and also make the device to be used principally for other things than its business primary role, hugely increasing risks.

This point is a serious security concern, as a matter of fact many security vendors (in my opinion the security industry is in delay in this context) offer Device Management Solution aimed to complete the native Application Access Control model. Besides it is not a coincidence that some rumors claim that Google is going to modify (enhance) the app permission security process.

As far as the second point is concerned (Android Market security policy), after the DroidDream affair, (and the following fake security update), it is clear that the Android Market Publishing (and Security) model needs to be modified, making it more similar to the App Store. There are several proposals in this context, of course in this place is not my intention to question on them but only to stress that the issue is real.

Last but not least Sideloading is something that makes Android very different from other platforms (read Apple), Apple devices do not allow to install untrusted apps unless you do not Jailbreak the devices. Android simply needs the user to flag an option (By The Way many vendors are opening their Android devices to root or alternate ROMs, consider for instance LG which in Italy does not invalidate the Warranty for rooted devices) or HTC which, on May 27, stated they will no longer have been locking the bootloaders on their devices.

So definitively the three above factors (together with the growing market shares) make Android more appealing for malware developers and this is not due to an intrinsic weakness of the platform rather than a security platform model which is mainly driven by the user and not locked by Manufacturer as it happens in case of Cupertino.

One Year Of Android Malware (Full List)

August 11, 2011 30 comments

Update August 14: After the list (and the subsequent turmoil) here is the Look Inside a Year Of Android Malware.

So here it is the full list of Android Malware in a very dangerous year, since August, the 9th 2011 up-to-today.

My birthday gift for the Android is complete: exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

Scroll down my special compilation showing the long malware trail which characterized this hard days for information security. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention.

As you will notice, the average impact is low, but, the number of malware is growing exponentially reaching a huge peak in July.

Let’s go in this mobile malware travel between botnets, sleepwalkers, biblic plagues and call Hijackers, and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

Date Description Features Overall Risk
Aug 9 2010
SMS.AndroidOS.FakePlayer.a

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

Aug 17 2010 AndroidOS_Droisnake.A

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Android MarketGPS Spy
Sep 14 2010 SMS.AndroidOS.FakePlayer.b

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

Oct 13 2010
SMS.AndroidOS.FakePlayer.c

Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense.

Dec 29 2010
Android.Geinimi

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

Botnet Like Features
Feb 14 2011
Android.Adrd AKA Android.HongTouTou

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Botnet Like Features
Feb 22 2011 Android.Pjapps

New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server.

Botnet Like Features
Mar 1 2011 Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A

The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools (rageagainstthecage and exploid) to root the phone

Android MarketBotnet Like FeaturesRoot

Mar 9 2011 Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Android MarketBotnet Like FeaturesRoot

Mar 20 2011 Android.Zeahache

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Android MarketRoot

Mar 30 2011 Android.Walkinwat

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user trying to discipline users that download files illegally from unauthorized sites.

May 9 2011

Android.Adsms AKA AndroidOS_Adsms.A

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

Android Market

May 11 2011

Android.Zsone AKA Android.Smstibook

Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected.

Android Market

May 22 2011

Android.Spacem

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

Android Market

Botnet Like Features

May 31 2011

Android.LightDD

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Android Market

Botnet Like Features

Jun 6 2011

Android/DroidKungFu.A AKA Android.Gunfu

Malware which uses the same exploit than DroidDream, rageagainstthecage, to gain root privilege and install the main malware component. Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package. The malware is moreover capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory. In few words, the device is turned into a member of a botnet.

Root

Botnet Like Features

Jun 9 2011

Android.Basebridge

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. When an infected application is installed, it attempts to exploit the udev Netlink Message Validation Local Privilege Escalation Vulnerability (BID 34536) in order to obtain “root” privileges.  Once running with “root” privileges it installs an executable which contains functionality to communicate with a control server using HTTP protocol and sends information such as Subscriber ID, Manufacturer and Model of the device, Version of the Android operating system. The Trojan also periodically connects to the control server and may perform the following actions: send SMS messages, remove SMS messages from the Inbox and dial phone numbers. The Trojan also contains functionality to monitor phone usage.

Botnet Like Features

Jun 9 2011

Android.Uxipp AKA Android/YZHCSMS.A

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. Again the threat is as an application for a Chinese gaming community. When executed, the Trojan attempts to send premium-rate SMS messages to several numbers and remove the SMS sent.
The Trojan sends device information, such as IMEI and IMSI numbers.

Android Market

Jun 10 2011

Andr/Plankton-A AKA Android.Tonclank 

This is a Trojan horse which steals information and may open a back door on Android devices. Available for download in the Android Market embedded in several applications, when the Trojan is executed, it steals the following information from the device: Device ID and Device permissions. The above information is then sent to a remote server from which  the Trojan downloads a .jar file which opens a back door and accepts commands to perform the following actions on the compromised device: copies all of the bookmarks on the device, copies all of the history on the device, copies all of the shortcuts on the device, creates a log of all of the activities performed on the device, modifies the browser’s home page, returns the status of the last executed command. The gathered information is then sent to a remote location.

Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.

Android Market

Botnet Like Features

Jun 15 2011

Android.Jsmshider

Trojan found in alternative Android markets that predominately target Chinese Android users. This Trojan predominantly affects devices with a custom ROM. The application masquerades as a legitimate one and exploits a vulnerability found in the way most custom ROMs sign their system images to install a secondary payload (without user permission) onto the ROM, giving it the ability to communicate with a remote server and receive commands. Once installed the second payload may read, send and process incoming SMS messages (potentially for mTAN interception or fraudulent premium billing subscriptions), install apps trasparently, communicate with a remote server using DES encryption.

Botnet Like Features

Jun 20 2011

Android.GGTracker

This trojan is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market. The Trojan, which targets users in the United States by interacting with a number of premium SMS subscription services without consent, is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent.  This can lead to unapproved charges to a victim’s phone bill. Android users are directed to install this Trojan after clicking on a malicious in-app advertisement, for instance a Fake Battery Saver.

Jul 1 2011

Android.KungFu Variants

Repackaged and distributed in the form of “legitimate” applications, these two variants are different from the original one by  re-implementing some of their malicious functionalities in native code and supporting two additional command and control (C&C) domains. The changes are possibly in place to make their detection and analysis harder.

The repackaged apps infected with the DroidKungFu variants are made available through a number of alternative app markets and forums targeting Chinese-speaking users.

RootBotnet Like Features
Jul 3 2011 AndroidOS_Crusewin.A AKA Android.Crusewind

Another example of a trojan which sends SMS to premium rate numbers. It also acts as a SMS Relay. It displays a standard Flash icon in the application list. The Trojan attempts to download an XML configuration file and uses it to retrieve a list of further URLs to send and receive additional data. The Trojan also contains functionality to perform the following actions: delete itself, delete SMS messages, send premium-rate SMS messages to the number that is specified in the downloaded XML configuration file, update itself.

Jul 6 2011

AndroidOS_SpyGold.A AKA Android.GoldDream

This backdoor is a Trojanized copy of a legitimate gaming application for Android OS smartphones. It steals sensitive information of the affected phone’s SMS and calls functions, compromising the security of the device and of the user. It monitors the affected phone’s SMS and phone calls and sends stolen information to a remote URL. It also connects to a malicious URL in order to receive commands from a remote malicious user.

Botnet Like Features

Jul 8 2011 DroidDream Light Variant

New variant of DroidDream Light in the Android Market, immediately removed by Google. Number of downloads was limited to 1000 – 5000. This is the third iteration of malware likely created by the authors of DroidDream.

Android Market

Botnet Like Features

Jul 11 2011

Android.Smssniffer AKA Andr/SMSRep-B/C AKA Android.Trojan.SmsSpy.B/C AKA Trojan-Spy.AndroidOS.Smser.a


ZiTMO arrives on Android!
This threat is found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

Jul 12 2011

Android.HippoSMS AKA Android.Hippo

Another threat found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

Jul 15 2011

Android.Fokonge

This threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Botnet Like Features

Jul 15 2011

Android/Sndapps.A AKA Android.Snadapps

Five Android Apps found in the official Android Market share a common suspicious payload which upload users’ personal information such as email accounts as well as phone numbers to a remote server without user’s awareness.

Android Market

Botnet Like Features

Jul 27 2011

Android.Nickispy

Trojan horse which steals several information from Android devices (for instance GPS Location or Wi-Fi position). For the first time on the Android Platform a malware is believed  to spy conversations.

Botnet Like Features

Jul 28 2011

Android.Lovetrap

Trojan horse that sends SMS messages to premium-rate phone number. When the Trojan is executed, it retrieves information containing premium-rate phone numbers from a malicious URL then sends premium-rate SMS messages. and attempts to block any confirmation SMS messages the compromised device may receive from the premium-rate number in an attempt to mask its activities. The Trojan also attempts to gather IMSI and location information and send the information to the remote attacker.

Aug2 2011

Android.Premiumtext

This is a detection for Trojan horses that send SMS texts to premium-rate numbers. These Trojan is a repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace. The package name, publisher, and other details will vary and may be taken directly from the original application..

Aug 9 2011

Android.NickiBot

It belongs to the same NickiSpy family. However, it is significantly different from its predecessor since it is fully controlled by SMS messages instead of relying on a hard-coded C&C server for instructions. In addition, NickiBot supports a range of bot commands, such as for (GPS-based) location monitoring, sound recording and (email-based) uploading, calllog collection, etc. It also has a check-in mechanism to a remote website. his threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Botnet Like Features

Legend

Parallel Market

Android MarketAndroid Market

Manual Install

Automatic Install of Apps

Send SMS or Calls to Premium Numbers

Botnet Like Features Server C&C

GPS SpyGPS Spyware

Root Root Access

Happy Birthday! One Year of Android Malware

August 9, 2011 2 comments

Exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

For this reason I decided to prepare a special birthday gift for the Android, that is a special compilation showing the long malware trail which characterized this day. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention. Moreover, as you will have probably noticed, the average impact is low, but, the number of malware is growing exponentially after June, this is the reason why I decided to divide my special compilation in two parts. Today is part I: from the beginning to May, the 31st 2011.

Let’s go in this mobile malware travel between botnets, sleepwalkers and biblic plagues and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

Date Description Features Overall Risk
Aug 9 2010
SMS.AndroidOS.FakePlayer.a

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

Aug 17 2010 AndroidOS_Droisnake.A

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Android MarketGPS Spy
Sep 14 2010 SMS.AndroidOS.FakePlayer.b

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

Oct 13 2010
SMS.AndroidOS.FakePlayer.c

Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense.

Dec 29 2010
Android.Geinimi

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

Botnet Like Features
Feb 14 2011
Android.Adrd AKA Android.HongTouTou

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react  based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Botnet Like Features
Feb 22 2011 Android.Pjapps

New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server.

Botnet Like Features
Mar 1 2011 Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A

The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools  (rageagainstthecage and exploid) to root the phone

Android MarketBotnet Like FeaturesRoot

Mar 9 2011 Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Android MarketBotnet Like FeaturesRoot

Mar 20 2011 Android.Zeahache

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Android MarketRoot

Mar 30 2011 Android.Walkinwat

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user  trying to discipline users that download files illegally from unauthorized sites.

May 9 2011

Android.Adsms AKA AndroidOS_Adsms.A

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

Android Market

May 11 2011

Android.Zsone AKA Android.Smstibook

Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected.

Android Market

May 22 2011

Android.Spacem

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

Android Market

Botnet Like Features

May 31 2011

Android.LightDD

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Android Market

Botnet Like Features

Legend

Parallel Market

Android MarketAndroid Market

Manual Install

Automatic Install of Apps

Send SMS or Calls to Premium Numbers

Botnet Like Features Server C&C

GPS SpyGPS Spyware

When Angry Birds eat Plankton

June 14, 2011 1 comment
Android Market

Image via Wikipedia

What happens when Angry Birds eat Plankton? Simple: they get Sick Birds, go to the Android Market and infect more devices with a bot-like malware.

The last malware inside the Android Market, dubbed Plankton, has been discovered by the same team which discovered DroidKungFu led by Xuxian Jiang, Assistant Professor at North Carolina State University. Although the brand new malware does not root the device, it has the bad habit to hide itself inside familiar apps related to the popular game Angry Birds. The suspected apps were removed on 6/5/2011, but since the malware leverages a new evasion technique which allowed it to stay in the market for more than 2 months without being detected by current mobile anti-malware software, but being downloaed more than 100.000 times.

Plankton is included in host apps by adding a background service: when the infected app runs, it will bring up the background service which collects information, including the device ID as well as the list of granted permissions to the infected app, and send them back to a remote server discovered by Sophos to be hosted in the Amazon Cloud.

The server replies with a URL that is used to download an additional JAR file with custom code that is loaded by the downloader.

Once the JAR file is downloaded, Plankton uses a technique for loading additional code from non-Market websites demonstrated by Jon Oberheide about a year ago, providing a potential attacker with a method of circumventing checks of application functionality by Google or by another Android Market provider.

The downloaded code launches another connection to the Command server and listens for commands to execute.

Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.

As a consequence the pressure on Google is building on two fronts: on one side, users are demanding better security and on the other side security vendors are asking for better operating system interfaces to make security software more effective against the ever-increasing tide of Android malware.

Sometimes They Come Back

June 6, 2011 1 comment

Not even a week after the light version of DroidDream, a new nightmare rises from the Android Market to menace the dreams of glory of the Google Mobile OS (which has just confirmed his #1 Rank on the comScore April 2011 U.S. Mobile Subscriber Market Share Report).

Curiously, also the new malware, discovered by F-Secure, and dubbed Android/DroidKungFu.A, “has its roots” on DroidDream since it uses the same exploit, rageagainstthecage, to gain root privilege and install the main malware component.

Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package.

Of course, who is familiar with Android malware may easily imagine the next step of the infection: the malware is in fact capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory.

In few words, the device is turned into a member of a botnet (without realizing it we are closer and closer to Phase 4 of Mobile Malware, consult slide 9 of my presentation for the different phases of Mobile Malware).

Guess where the malware was detected first? Of course from some parallel Markets in China, at least according to some Researchers of the North Carolina University who detected two infected applications in more than eight third-party Android app stores and forums based in China. Nothing new under this sun of June. Luckily the researchers haven’t found infected apps in non-Chinese app stores… At least so far.

As previously stated DroidKungFu takes advantages of the same vulnerabilities than DroidDream, but this time the situation seems to be much worse. As a matter of fact it looks like DroidKungFu is capable of avoiding detection by security software.

The malware makes its best with Android 2.2 and earlier, but the owners of later versions of Android are not entirely safe: the security patches severely limit DroidKungFu, but the malware is still able to collect some user data and send them to a remote site.

Again, follow basic, common-sense guidelines for smartphone security in order to mitigate the risks of infection (here you may find some useful suggestions), even because Google Wallet is at the gates and I dare not even think to the aftermaths of a malware leveraging vulnerabilities on the Secure Element

DroidDream is Back!

May 31, 2011 1 comment

There is a new nightmare on the Android Market, and again many Android devices are not going to have a good awakening.

The last security advice for the Google Mobile OS comes from Lookout, which has discovered a new variant of the infamous DroidDream, the first malware conveyed by the Official Android Market capable of infecting at the beginning  of March, according to Symantec, between 50.000 and 200.000 devices.

This time the brand new version, dubbed DroidDreamLight, was found in 26 repackaged applications from 5 different developers distributed in the Android Market. According to Lookout DroidDreamLight is no less than is “noble” predecessor, since was able to affect between 30.000 and 120.000 users.

According to Lookout, the malicious components of DroidDream Light are invoked on receipt of an android.intent.action.PHONE_STATE intent (e.g. an incoming voice call). As a consequence DroidDream Light does not depend on manual launch of the installed application to trigger its behavior.  The broadcast receiver immediately launches the <package>.lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages. It appears that the DDLight is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention.

The list of the infected applications (already removed from Google) is available at the original link. I must confess I could not help noticing the rich amount of “hot” applications, which confirm (unfortunately) to be a lethal weapon for carrying malware.

This event will raise again the concerns about the security policies on the Android Market, and about the apparently unstoppable evolution of the mobile threat landscape which has brought for the Android a brand new malware capable of sending data to a remote server. A further step closer to a mobile botnet even if, at least for this time, with limited capabilities of auto-installing packages,.

I will have to update my presentation, meanwhile do not forget to follow the guidelines for a correct mobile behavior:

  • Avoid “promiscuous” behaviours (perform rooting, sideloading or jaibreaking with caution, most of all in case of a device used for professional purpose);
  • Do not accept virtual candies from unkown virtual individuals, i.e. only install applications from trusted sources, always check the origin and their permissions during installation;
  • Beware of unusual behavior of the phone (DroidDream owes its name to the fact that he used to perform most of its malicious action from 11 P.M to 8 A.M.);
  • Beware of risks hidden behind social Network (see my post of yesterday on mobile phishing);
  • Use security software;
  • Keep the device updated.

Nine Months Of Living Dangerously

May 18, 2011 3 comments

The title of this post is not a subset of the famous Peter Weir’s MovieThe Year Of Living Dangerously“, featuring Mel Gibson and Sigourney Weaver, but rather refers to the dangerous months which the Android is living, from the second half of 2010 to this first half of 2011, which saw a dramatic increase in Android Malware.

I enjoyed in summarizing in a single picture the mobile malware which affected Google Mobile OS from August 2010 to the present day. As shown the results are not encouraging and seems to confirm, in a qualitative form, the 400% increase in mobile malware (in six months) recently stated by Juniper Networks: un the second half of 2011 we assisted mainly to variants of the first Trojan. In the first half of 2011 the landscape has become much more complicated with mobile malware tailored “for different needs”.

So far the threats are can be divided essentially into two categories:

  • Malware capable of stealing data, sending them to a remote C&C, which in a mobile platform may have worst consequences since it may send remote data to a C&C Server);
  • Malware capable of sending SMS to premium rate numbers without the user permission (and awareness).

In many cases the malware was downloaded by parallel markets (most of all from China and Russia), with often the pornography acting like a decoy for the unfortunates, hence showing the risks connected with sideloading, that is the practice to enable installation of applications downloaded from external markets.

Two examples were particularly meaningful: the example of Geinimi, which showed all the features of a Botnet. And the example of DroidDream which bypassed all the security control of Android Market and infected something between 50.000 and 200.000 users according to Symantec and were remotely removed by Google, thus prefiguring a new security model which remotely manages the security functions of endpoint (and everything suggests that this trend will soon spread to more traditional endpoints: just today I stumbled upon this really interesting article).

By the way… Just today, three German security researchers discovered a serious flaw on the ClientLogin Authentication Protocol affecting almost all the Android powered devices… Ok it is not a malware, but the security concerns for the Google Mobile Operating System are more relevant than ever…

If The Droid Gets The (China’s) Flu

May 14, 2011 1 comment

The thought of this night is dedicated to yet another couple of android malwares detected (as usual) in China.

It was a bit of time that the droid was not sick, however, as the change of season is often fatal to humans, so it is for the Androids which caught two new infections in few days.

On May, the 11th, it was the turn of a new Trojan embedded, once again as in the case of the notorious DroidDream (but I’d rather say that malware is becoming a nightmare for the Google Creature) in official applications inside the Android Market. All the applications were published by the same developer, Zsone, and were suddenly removed by Google.

The Trojan, which affects Chinese users, is characterized by the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. QQ codes, used primarily in China, are a form of short code that can subscribe users to SMS update or instant message services. The malware was embedded in 10 apps by the developer named Zsone available on the Android Market and alternative markets.

Once the user starts the app on their phone, the app will silently send an SMS message to subscribe the user to a premium-rate SMS service without their authorization or knowledge. This may result in charges to the affected phone owner’s mobile accounts. Even if the threat affects Chinese Android phone owners who downloaded the app from the Android Market, the total number of downloads attributed to this app in the Android Market has appeared to be under 10,000.  All instances of the threat have been removed from the market.

On May, the 12th, it was the turn of ANDROIDOS_TCENT.A, discovered by Trend Micro. This malware, which only affects China Mobile subscribers (the state-owned service provider  considered the world’s largest mobile phone operator), arrived to users  through a link sent through SMS, whose message invited the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually led to a malicious file (fake AV have landed on mobile devices as well).

The malware is capable to obtain certain information about the affected devices such as IMEI number, phone model, and SDK version and connects to a certain URL to request for an XML configuration file.

Two very different infections, having a common origin from China: the first example emphasizes once again the breaches into the security and reputation model of the Android Market. The second one features a well established infection model who is rapidly gaining credit (and victims) also in the mobile world: the SMS phishing. I think we will often hear speaking about in the next months.

The two malware infections came a couple of days after the Malicious Mobile Threats Report 2010/2011 issued by Juniper Networks which indicated a 400% increase in Android malware since summer 2010 and other key findings, several of which were clearly found in the above mentioned infections:

  • App Store Threats: That is the single greatest distribution point for mobile malware is application download, yet the vast majority of smartphone users are not employing an endpoint security solution on their mobile device to scan for malware;
  • Wi-Fi Threats: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications
  • 17 percent of all reported infections were due to SMS trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise
  • Device Loss and Theft: according to the author of the report: 1 in 20 among the Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued

Will it also be for these reasons that Smartphone security software market is expected to reach $2.99 billion by 2017? Maybe! Meanwhile I recommend to be very careful to install applications from parallel markets and in any case (since we have seen that this is not enough) to always check the application permissions during installation. Moreover, do not forget to install a security software if possible as the 23% of the droid users (among which there is me) does.

Follow

Get every new post delivered to your Inbox.

Join 2,705 other followers