About these ads

Archive

Posts Tagged ‘Android.Pjapps’

One Year Of Android Malware (Full List)

August 11, 2011 30 comments

Update August 14: After the list (and the subsequent turmoil) here is the Look Inside a Year Of Android Malware.

So here it is the full list of Android Malware in a very dangerous year, since August, the 9th 2011 up-to-today.

My birthday gift for the Android is complete: exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

Scroll down my special compilation showing the long malware trail which characterized this hard days for information security. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention.

As you will notice, the average impact is low, but, the number of malware is growing exponentially reaching a huge peak in July.

Let’s go in this mobile malware travel between botnets, sleepwalkers, biblic plagues and call Hijackers, and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

Date Description Features Overall Risk
Aug 9 2010
SMS.AndroidOS.FakePlayer.a

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

Aug 17 2010 AndroidOS_Droisnake.A

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Android MarketGPS Spy
Sep 14 2010 SMS.AndroidOS.FakePlayer.b

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

Oct 13 2010
SMS.AndroidOS.FakePlayer.c

Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense.

Dec 29 2010
Android.Geinimi

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

Botnet Like Features
Feb 14 2011
Android.Adrd AKA Android.HongTouTou

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Botnet Like Features
Feb 22 2011 Android.Pjapps

New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server.

Botnet Like Features
Mar 1 2011 Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A

The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools (rageagainstthecage and exploid) to root the phone

Android MarketBotnet Like FeaturesRoot

Mar 9 2011 Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Android MarketBotnet Like FeaturesRoot

Mar 20 2011 Android.Zeahache

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Android MarketRoot

Mar 30 2011 Android.Walkinwat

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user trying to discipline users that download files illegally from unauthorized sites.

May 9 2011

Android.Adsms AKA AndroidOS_Adsms.A

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

Android Market

May 11 2011

Android.Zsone AKA Android.Smstibook

Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected.

Android Market

May 22 2011

Android.Spacem

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

Android Market

Botnet Like Features

May 31 2011

Android.LightDD

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Android Market

Botnet Like Features

Jun 6 2011

Android/DroidKungFu.A AKA Android.Gunfu

Malware which uses the same exploit than DroidDream, rageagainstthecage, to gain root privilege and install the main malware component. Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package. The malware is moreover capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory. In few words, the device is turned into a member of a botnet.

Root

Botnet Like Features

Jun 9 2011

Android.Basebridge

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. When an infected application is installed, it attempts to exploit the udev Netlink Message Validation Local Privilege Escalation Vulnerability (BID 34536) in order to obtain “root” privileges.  Once running with “root” privileges it installs an executable which contains functionality to communicate with a control server using HTTP protocol and sends information such as Subscriber ID, Manufacturer and Model of the device, Version of the Android operating system. The Trojan also periodically connects to the control server and may perform the following actions: send SMS messages, remove SMS messages from the Inbox and dial phone numbers. The Trojan also contains functionality to monitor phone usage.

Botnet Like Features

Jun 9 2011

Android.Uxipp AKA Android/YZHCSMS.A

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. Again the threat is as an application for a Chinese gaming community. When executed, the Trojan attempts to send premium-rate SMS messages to several numbers and remove the SMS sent.
The Trojan sends device information, such as IMEI and IMSI numbers.

Android Market

Jun 10 2011

Andr/Plankton-A AKA Android.Tonclank 

This is a Trojan horse which steals information and may open a back door on Android devices. Available for download in the Android Market embedded in several applications, when the Trojan is executed, it steals the following information from the device: Device ID and Device permissions. The above information is then sent to a remote server from which  the Trojan downloads a .jar file which opens a back door and accepts commands to perform the following actions on the compromised device: copies all of the bookmarks on the device, copies all of the history on the device, copies all of the shortcuts on the device, creates a log of all of the activities performed on the device, modifies the browser’s home page, returns the status of the last executed command. The gathered information is then sent to a remote location.

Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.

Android Market

Botnet Like Features

Jun 15 2011

Android.Jsmshider

Trojan found in alternative Android markets that predominately target Chinese Android users. This Trojan predominantly affects devices with a custom ROM. The application masquerades as a legitimate one and exploits a vulnerability found in the way most custom ROMs sign their system images to install a secondary payload (without user permission) onto the ROM, giving it the ability to communicate with a remote server and receive commands. Once installed the second payload may read, send and process incoming SMS messages (potentially for mTAN interception or fraudulent premium billing subscriptions), install apps trasparently, communicate with a remote server using DES encryption.

Botnet Like Features

Jun 20 2011

Android.GGTracker

This trojan is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market. The Trojan, which targets users in the United States by interacting with a number of premium SMS subscription services without consent, is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent.  This can lead to unapproved charges to a victim’s phone bill. Android users are directed to install this Trojan after clicking on a malicious in-app advertisement, for instance a Fake Battery Saver.

Jul 1 2011

Android.KungFu Variants

Repackaged and distributed in the form of “legitimate” applications, these two variants are different from the original one by  re-implementing some of their malicious functionalities in native code and supporting two additional command and control (C&C) domains. The changes are possibly in place to make their detection and analysis harder.

The repackaged apps infected with the DroidKungFu variants are made available through a number of alternative app markets and forums targeting Chinese-speaking users.

RootBotnet Like Features
Jul 3 2011 AndroidOS_Crusewin.A AKA Android.Crusewind

Another example of a trojan which sends SMS to premium rate numbers. It also acts as a SMS Relay. It displays a standard Flash icon in the application list. The Trojan attempts to download an XML configuration file and uses it to retrieve a list of further URLs to send and receive additional data. The Trojan also contains functionality to perform the following actions: delete itself, delete SMS messages, send premium-rate SMS messages to the number that is specified in the downloaded XML configuration file, update itself.

Jul 6 2011

AndroidOS_SpyGold.A AKA Android.GoldDream

This backdoor is a Trojanized copy of a legitimate gaming application for Android OS smartphones. It steals sensitive information of the affected phone’s SMS and calls functions, compromising the security of the device and of the user. It monitors the affected phone’s SMS and phone calls and sends stolen information to a remote URL. It also connects to a malicious URL in order to receive commands from a remote malicious user.

Botnet Like Features

Jul 8 2011 DroidDream Light Variant

New variant of DroidDream Light in the Android Market, immediately removed by Google. Number of downloads was limited to 1000 – 5000. This is the third iteration of malware likely created by the authors of DroidDream.

Android Market

Botnet Like Features

Jul 11 2011

Android.Smssniffer AKA Andr/SMSRep-B/C AKA Android.Trojan.SmsSpy.B/C AKA Trojan-Spy.AndroidOS.Smser.a


ZiTMO arrives on Android!
This threat is found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

Jul 12 2011

Android.HippoSMS AKA Android.Hippo

Another threat found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

Jul 15 2011

Android.Fokonge

This threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Botnet Like Features

Jul 15 2011

Android/Sndapps.A AKA Android.Snadapps

Five Android Apps found in the official Android Market share a common suspicious payload which upload users’ personal information such as email accounts as well as phone numbers to a remote server without user’s awareness.

Android Market

Botnet Like Features

Jul 27 2011

Android.Nickispy

Trojan horse which steals several information from Android devices (for instance GPS Location or Wi-Fi position). For the first time on the Android Platform a malware is believed  to spy conversations.

Botnet Like Features

Jul 28 2011

Android.Lovetrap

Trojan horse that sends SMS messages to premium-rate phone number. When the Trojan is executed, it retrieves information containing premium-rate phone numbers from a malicious URL then sends premium-rate SMS messages. and attempts to block any confirmation SMS messages the compromised device may receive from the premium-rate number in an attempt to mask its activities. The Trojan also attempts to gather IMSI and location information and send the information to the remote attacker.

Aug2 2011

Android.Premiumtext

This is a detection for Trojan horses that send SMS texts to premium-rate numbers. These Trojan is a repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace. The package name, publisher, and other details will vary and may be taken directly from the original application..

Aug 9 2011

Android.NickiBot

It belongs to the same NickiSpy family. However, it is significantly different from its predecessor since it is fully controlled by SMS messages instead of relying on a hard-coded C&C server for instructions. In addition, NickiBot supports a range of bot commands, such as for (GPS-based) location monitoring, sound recording and (email-based) uploading, calllog collection, etc. It also has a check-in mechanism to a remote website. his threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Botnet Like Features

Legend

Parallel Market

Android MarketAndroid Market

Manual Install

Automatic Install of Apps

Send SMS or Calls to Premium Numbers

Botnet Like Features Server C&C

GPS SpyGPS Spyware

Root Root Access

About these ads

Happy Birthday! One Year of Android Malware

August 9, 2011 2 comments

Exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

For this reason I decided to prepare a special birthday gift for the Android, that is a special compilation showing the long malware trail which characterized this day. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention. Moreover, as you will have probably noticed, the average impact is low, but, the number of malware is growing exponentially after June, this is the reason why I decided to divide my special compilation in two parts. Today is part I: from the beginning to May, the 31st 2011.

Let’s go in this mobile malware travel between botnets, sleepwalkers and biblic plagues and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

Date Description Features Overall Risk
Aug 9 2010
SMS.AndroidOS.FakePlayer.a

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

Aug 17 2010 AndroidOS_Droisnake.A

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Android MarketGPS Spy
Sep 14 2010 SMS.AndroidOS.FakePlayer.b

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

Oct 13 2010
SMS.AndroidOS.FakePlayer.c

Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense.

Dec 29 2010
Android.Geinimi

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

Botnet Like Features
Feb 14 2011
Android.Adrd AKA Android.HongTouTou

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react  based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Botnet Like Features
Feb 22 2011 Android.Pjapps

New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server.

Botnet Like Features
Mar 1 2011 Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A

The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools  (rageagainstthecage and exploid) to root the phone

Android MarketBotnet Like FeaturesRoot

Mar 9 2011 Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Android MarketBotnet Like FeaturesRoot

Mar 20 2011 Android.Zeahache

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Android MarketRoot

Mar 30 2011 Android.Walkinwat

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user  trying to discipline users that download files illegally from unauthorized sites.

May 9 2011

Android.Adsms AKA AndroidOS_Adsms.A

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

Android Market

May 11 2011

Android.Zsone AKA Android.Smstibook

Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected.

Android Market

May 22 2011

Android.Spacem

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

Android Market

Botnet Like Features

May 31 2011

Android.LightDD

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Android Market

Botnet Like Features

Legend

Parallel Market

Android MarketAndroid Market

Manual Install

Automatic Install of Apps

Send SMS or Calls to Premium Numbers

Botnet Like Features Server C&C

GPS SpyGPS Spyware

Nine Months Of Living Dangerously

May 18, 2011 3 comments

The title of this post is not a subset of the famous Peter Weir’s MovieThe Year Of Living Dangerously“, featuring Mel Gibson and Sigourney Weaver, but rather refers to the dangerous months which the Android is living, from the second half of 2010 to this first half of 2011, which saw a dramatic increase in Android Malware.

I enjoyed in summarizing in a single picture the mobile malware which affected Google Mobile OS from August 2010 to the present day. As shown the results are not encouraging and seems to confirm, in a qualitative form, the 400% increase in mobile malware (in six months) recently stated by Juniper Networks: un the second half of 2011 we assisted mainly to variants of the first Trojan. In the first half of 2011 the landscape has become much more complicated with mobile malware tailored “for different needs”.

So far the threats are can be divided essentially into two categories:

  • Malware capable of stealing data, sending them to a remote C&C, which in a mobile platform may have worst consequences since it may send remote data to a C&C Server);
  • Malware capable of sending SMS to premium rate numbers without the user permission (and awareness).

In many cases the malware was downloaded by parallel markets (most of all from China and Russia), with often the pornography acting like a decoy for the unfortunates, hence showing the risks connected with sideloading, that is the practice to enable installation of applications downloaded from external markets.

Two examples were particularly meaningful: the example of Geinimi, which showed all the features of a Botnet. And the example of DroidDream which bypassed all the security control of Android Market and infected something between 50.000 and 200.000 users according to Symantec and were remotely removed by Google, thus prefiguring a new security model which remotely manages the security functions of endpoint (and everything suggests that this trend will soon spread to more traditional endpoints: just today I stumbled upon this really interesting article).

By the way… Just today, three German security researchers discovered a serious flaw on the ClientLogin Authentication Protocol affecting almost all the Android powered devices… Ok it is not a malware, but the security concerns for the Google Mobile Operating System are more relevant than ever…

Chronicles Of The Android

April 1, 2011 2 comments

The title of this post recalls a science fiction novel, but actually summarizes well a couple of news concerning the Android, which bounced in these days. Even if they seem apparently disjoined I decided to insert them in the same post: there is a logical link which connects the commercial success of a platform and the attention it attracts by malicious, and this seems to be the destiny of Android, to which the market share reserves a bright future, which become much less bright if one considers the information security consequences.

 

Part 1: Smartphone Market Share

This seems to be the right time for predictions as far as the smartphone market is concerned, that is the reason why I really was enjoyed in comparing the projections of ABI Research (released today), with the ones released from IDC a couple of days ago. The results are summarized in the following tables. Even if they are targeted at different years in the near future (respectively 2016 for ABI Research and 2015 for IDC), comparing the two reports is interesting for imaging what the future of the smartphone Operating System will be.

ABI Research IDC
Operating System 2010 2016 Operating System 2011 2015
Android 23,00% 45,00% Android 39,50% 45,40%
RIM 16,00% 14,00% RIM 14,90% 13,70%
iOS 15,00% 19,00% iOS 15,70% 15,30%
Symbian 36,00% - Symbian 20,90% 0,20%
Windows Phone 7/Windows Mobile 0,60% 7,50% Windows Phone 7/Windows Mobile 5,50% 20,90%
Others 9,40% 14,50% Others 3,50% 4,60%

Often the providers of market intelligence do not agree on anything, but in this case, if there is one thing that seems to have no doubt, is the scepter of the Android, which seems to be destined, for both reports, to rule the market with nearly one half of the total smartphones shipped after 2015. The data also confirm a stable position for RIM (around 13%-14%), while do not completely agree as far as Apple is concerned, for which ABI research estimates a market share of 19% in 2016 and IDC a market share of 15% in 2015. But were the data are surprisingly different, is on the Windows Phone Market Share. According to ABI Research, Windows Phone will reach the 7% of the market (which become 7.5 adding the market share of its predecessor Windows Mobile). Unfortunately I do not think that, according to Microsoft’s hopes, the number 7 which identifies the mobile operating system series, pertains to the market share in 2016. Last and (unfortunately) least? IDC is more optimistic and foresees a bright future for Redmond in the mobile arena, with its creature ranking immediately behind the Android with the 20% of the market. Will be very amusing to see (in 5 years if we will remember) who was right.

Last and (unfortunately) least, the poor Symbian, sacrificial victim of Nokia and Microsoft agreement, which, in 5 years will remain little more than a romantic remembrance for mobile lovers, while, surprisingly, ABI research foresees a surprising 10% market share for Samsung Bada in 2016.

Part 2: Mobile Malware Market Share

Of course I am an infosec guy so I wonder if also the mobile malware will follow the same trend. This consideration arises from an interesting article I found in the Fortinet blog. Of course data must be taken with caution, but I could not help noticing that when one switches from smartphone market share to mobile malware market share, the ranking positions are reversed: over 50% of mobile malware families detected by the security firm concern Symbian, approximately 15% are Java ME midlets, while the Android approximately suffers only of the 5% of the infections. Of course, as correctly stated on the article, this does not means that Symbian is the less secure. In my opinion the bigger percentage of mobile malware is a simple consequence of the fact that Symbian is still the Operating System with the greater spread. Of course malware writers deserve bigger attention to those platforms which offer the wider attack surface (that is the wider possibility to spread infections). And in this moment, Symbian is an attractive prey from this point of view. My sixth sense (and one half as we say in Italy) says that the Android will not take a long time in order to achieve also the unenviable first position also in the mobile malware market share, not only because it is spreading at an incredible speed, but also because it is becoming an enterprise platform (so the value of the data stored are much more attractive for Cyber Crooks.

As if on purpose, today Symantec discovered yet another malware for Android (Android.Walkinwat), which, at least for this time, tries to discipline users that download files illegally from unauthorized sites. Analogously to some of its noble malware predecessors (Geinimi, HongTouTou, Android.Pjapps), the malware is hidden inside a non-existent version of a true application (in this case Walk and Text) and downloaded from parallel markets from Asia and United States, but instead of stealing private data, simply floods of SMS the contacts.

Hey, just downloaded a pirated App off the Internet, Walk and Text for Android. I am stupid and cheap, it costed only 1 buck. Don’t steal like I did.

At the hand, after sending the SMS (affecting the user’s phone bill) it warns the user with the following message.

Unfortunately downloading malware from Asian parallel market is not new, and it is not a coincidence that the same report from Fortinet indicates that most mobile malware families are implemented by Russian or Chinese coders. This is undoubtely an increasing trend, and I am afraid that Chinese coders will soon shift their Cyber Espionage Operations to mobile devices…

DroidDream: Google lo Sradica da Remoto

March 6, 2011 1 comment

Qualche giorno fa ho dedicato un post all’ultimo malware (è proprio il caso di dire da sogno) dell’Androide: il famigerato DroidDream. L’ennesima minaccia mobile per l’androide ha creato un pericoloso precedente, essendo il primo malware, a differenza dai suoi illustri predecessori (Geinimi, HongTouTou e ), ad aver fatto breccia direttamente nel market ufficiale.

Da subito si è saputo che il “Sogno d’Androide”, utilizzando l’invontolontario tramite di applicazioni lecite, è stato in grado di iniettare nei terminali infetti codice malevolo in grado di prendere la root (o meglio la radice) del dispositivo (da cui il nome di Android.Rootcager) in maniera autonoma (ovviamente senza il minimo consenso da parte dell’utente).

Ora cominciano a trapelare notizie un po’ più precise sul malware (che ne riducono in parte la pericolosità, poiché sembra che l’applicazione malevola “si limiti” a trasmettere al server remoto i soli IMEI, IMSI, modello del dispositivo e versione del SDK),  tuttavia, proprio in queste ore Google ha reso nota la propria strategia per (è proprio il caso di dire) sradicare il malware e risolvere il problema alla root radice. Il gigante di Mountain View ha deciso di premere il grilletto ed azionare, per la seconda volta nella sua storia, l’operazione di pulizia remota degli Androidi Malati. La prima volta era accaduta a giugno 2010, quando il colosso di Mountain View si rese conto che due ricercatori avevano iniettato, a scopo dimostrativo, una falsa applicazione nel Market (uno sniffer che poteva essere usato con conseguenze ben più serie).

Ovviamente questo modus operandi ha nuovamente sollevato l’annoso interrogativo se certe pratiche siano attuabili o ledano in maniera eccessiva la libertà e la privacy dell’utente. In teoria la pulizia remota rappresenta un valido strumento di sicurezza, in pratica riapre l’annosa questione della privacy e se sia lecito che un produttore, anche se animato da buone intenzioni, si spinga un po’ troppo oltre la linea rossa che separa la proprietà del terminale da parte di chi ci ha speso, nel migliore dei casi, 500 Euri). La questione è tanto più spinosa quanto più si considera il fatto che certe mosse risolutiive (a mali estremi estremi rimedi) sono causate da una filiera di controlli nel market non rigorosa come quella di Cupertino (e verrebbe da dire anche da un OS non proprio in forma smagliante in questo periodo).

D’altronde i Termini di Servizio dell’Android Market parlano (poco) chiaro. L’articolo 2.4 dei sopra citati termini di servizio recita infatti:

Google può venire a conoscenza che un Prodotto viola i termini del Contratto di Distribuzione con gli Sviluppatori per Android Market o le leggi applicabili e/o le regole di Google. In tal caso, Google potrà disabilitare l’accesso a tali Prodotti a propria discrezione e senza preavviso.

A questo punto i possessori di Android (tra cui il sottoscritto) si sentiranno un po’ tra l’incudine e il martello: effettivamente non so se è preferibile la consapevolezza che il proprio sistema operativo del cuore ultimamente venga preso un po’ troppo di mira dai Cybercriminali (oggi per gioco, ma domani?),  oppure il fatto che, in caso di contagio da malware, si può sempre sperare che il Grande Fratello effettui un accesso remoto al nostro terminale, rigorosamente non richiesto, per ristabilire l’ordine delle applicazioni.

Si dirà che queste cose capitano anche ai possessori della Mela (con tanto di minacce di class action). Corretto, ma almeno in questo momento il cuore di Mela, dati di malware alla mano, è certamente più sicuro.

Non resta che installare droidwall, magari bloccando tutte le connessioni in ingresso e uscita… Bene ora lo vado a vedere al market… Aspetta, che cos’è la prima cosa che c’e’ scritta…”ATTENTION: ROOT REQUIRED!!!”

Un Androide Da Sogno… Anzi Da Incubo… Magari Alieno…

March 2, 2011 1 comment

Il sogno è quello del nuovo (ennesimo) malware che ha preso di mira il povero Androide (chiamato romanticamente DroidDream). L’incubo è questo scorcio di 2011 che si dimostra veramente un anno di passione per la creatura di Mountain View. L’Alieno è quello con cui l’Androide potrebbe ben presto infettare altri dispositivi (magari anche qualche bella Mela…)

Ma andiamo con ordine: l’ultimo allarme  di sicurezza in ordine di tempo proviene ancora una volta da Lookout (che dimostra una volta  in più di vederla lunga in fatto di mobile malware) ed è stato ripreso poco dopo da Symantec che lo ha invece battezzato il malware nuovo arrivato Android.Rootcager.

La differenza rispetto agli illustri predecessori d’oriente (Geinimi, HongTouTou e l’ultimo arrivato ) risiede nel fatto che questa volta il nemico è tra noi: la nuova minaccia è stata difatti abilmente celata dentro 50 applicazioni ufficiali, regolarmente mantenute nell’Android Market ufficiale. Secondo una stima di Symantec, addirittura, sono stati tra 50.000 e  200.000 gli utenti che hanno scaricato le applicazioni vettori di infezione nei  4 giorni in cui queste sono state nella cresta dell’onda, o sarebbe meglio dire nella cresta dell’onta di Google che se ne è accorta tardivamente e addirittura, secondo Lookout, non ha intrapreso subito azioni efficaci.

Tanto per cambiare il malware prende di mira i dati personali ed il primo utente ad accorgersi dell’anomalia è stato Lampolo, un utente del Social Network Reddit, che ha analizzato due applicazioni sospette, allarmato dal fatto che avessero cambiato nome dello sviluppatore. Analizzando le applicazioni sosepette, Lampolo ha scoperto al loro interno codice maligno in grado di scavalcare il recinto di sabbia di sicurezza (la famigerata sandbox)  in cui l’Androide dovrebbe far girare ile applicazioni impedendogli di accedere direttamente al sistema (ma d’altronde che il recinto di sabbia dell’Androide non sia il massimo della sicurezza non è una novità).

Un ulteriore blogger di Android Police, Justin Case, ha dato uno sguardo un po’ più da vicino alle applicazioni malevole e ha scoperto che il codice maligno è in grado di rootare il dispositivo, mediante lo strumento rageagainstthecage ben noto a chi ha come hobby quello di comprare un androide per prendergli subito la root. Una volta ottenuti i privilegi il malware è in grado di inviare (questa non me l’aspettavo proprio) informazioni sensibili del dispositivo (IMEI e IMSI) ad un server remoto. Il codice cela anche un ulteriore pacchetto APK nascosto all’interno del codice che è in grado di rubare ulteriori dati sensibili.

A questo link, (o quest’altro) la lista completa delle applicazioni infette, riconoscibili per essere riconducibili a tre autori ben precisi: “Kingmall2010″, “myournet” o “we20090202″. Chi non si sentisse particolarmente sicuro può controllare anche la presenza del servizio com.android.providers.downloadsmanager (DownloadManageService) tra i servizi in esecuzione.

Tutti questi mali di stagione sono solo eccezioni, ovvero coda di un Inverno che per l’Androide non sembra mai finire, oppure prefigurano quella che sarà una battaglia senza fine tra autori di malware e forze del bene?

Purtroppo propendo di più per la seconda ipotesi involontariamente rafforzata anche dal fatto che l’Androide, per semplificare la vita agli sviluppatori, utilizza una Java Virtual Machine (la famigerata Dalvik al centro di una causa contro l’Oracolo di Larry Ellison) per far girare il codice, evidenza architetturale che sicuramente aiuta gli sviluppatori, ma, per contro, potrebbe avere pesanti ripercussioni in termini di sicurezza. Il perchè è spiegato in questo articolo di McAfee: “Write Once, Mobile Malware Anywhere“, l’utilizzo di Macchine Virtuali per lo sviluppo ha implicitamente diversi benefici (o sarebbe meglio dire malefici) per il malware.

In effetti se si utilizza una macchina virtuale:

  • Si mantiene la compatibilità visto che le API rimangono le stesse;
  • E’ possibile riutilizzare il codice (alcune porzioni quali l’invio di SMS, il trasferimento Bluetooth, etc.) non devono essere riscritte;
  • Soprattutto rende il malware estremamente contagioso visto che può attaccare diversi dispositivi o Sistemi Operativi che utilizzino una macchina virtuale compatibile con l’originaria.

Poiché la macchina virtuale Dalvik potrebbe presto sbarcare su altri dispositivi,  ne consegue che ben preso l’Androide potrebbe diventare il paziente zero per altri dispositivi. Del lavoro di RIM per sviluppare una JavaVirtual Machine compatibile con l’Androide avevo già parlato in questo post, ora sembra che anche Myriad, un membro della Open Handset Alliance che collabora con Google per lo sviluppo di Android sia al lavoro per un Androide Alieno (ovvero una macchina virtuale compatibile con Dalvik definita scherzosamente Alien Dalvik) in grado di far girare applicazioni Android non modificate su piattaforme aliene, per giunta alla stessa velocità dell’androide nativo (dopo il danno del contagio la beffa della stessa velocità di propagazione dell’infezione).

Certo, conoscendo le politiche di Cupertino, dubito che vedremo mai una Macchina Virtuale Aliena nel cuore della Mela, ad ogni modo, tutto lascia comunque suppore che l’Androide possa diventare la piattaforma di riferimento (anche) per il malware con la conseguenza che  ben presto non dovremo più preooccuparci del solo malware mobile terrestre, ma anche di quello Alieno (molto più alieno di quello con cui Jeff Goldblum salva la Terra su Indipence Day).

Se L’Androide Evapora

L’ultima segnalazione in fatto di malware per il povero Androide ce la segnala Symantec. E’ di queste ore la notizia della scoperta di un nuovo malware per il povero Androide senza pace. Android.Pjapps, questo il nome del malware, che si nasconde dietro una applicazione lecita: Steamy Window che nella sua versione pulita, vaporizza lo schermo dell’Androide, e nella versione bacata ne vaporizza anche la sicurezza.

Anche in questo caso siamo alle solite: permessi sospetti durante l’installazione, e mentre l’utente gioca a pulire lo schermo con il ditino, il trojan imprigiona l’Androide dentro una botnet controllata da alcuni server di Comando e Controllo (C&C). Una volta infettato l’Androide Impazzito è in grado di installare applicazioni contro la volontà dell’utente, navigare verso siti web, aggiungere bookmark al browser, inviare messaggi di testo e anche, bloccare le risposte a messaggi.

Il tutto, come nelle migliori tradizioni, rigorosamente in background senza che l’utente se ne accorga minimamente. Ad un cambiamento dell’intensità del segnale il servizio si avvia e tenta di connettersi al seguente server di comando e controllo:

http://mobile.meego91.com/mm.do?.. (parametri di controllo)

Come si nota agli autori del malware non è mancato il sense of humor, visto che a controllare i dispositivi è un server che richiama meego, il (quasi) defunto sistema operativo figlio della scellerata alleanza tra Nokia e Intel.

Assieme al Check-In, il malware invia informazioni sensibili ottenute dal dispositivo, tra cui:

Alla risposta invia un messaggio con l’IMEI del dispositivo compromesso ad un numero ottenuto dall’indirizzo seguente:

http://log.meego91.com:9033/android.log?(parametri di controllo)

Anche in questo caso c’è un richiamo al povero MeeGo. Ovviamente il numero a cui viene inviato il messaggio è controllato dall’attaccante che è in grado di nascondere la sua identità.

Di tanto in tanto, inoltre, il servizio malevolo, mediante un proprio protocollo basato su XML, controlla il server di Comando e Controllo per verificare se ci sono altri comandi.

http://xml.meego91.com:8118/push/newandroidxml/...(comandi).

Anche in questo caso il problema è sempre lo stesso, una applicazione apparentemente lecita presa da un market parallelo e con permessi di installazione improbabili. Manca solo il terzo aspetto che sino ad oggi ha contraddistinto tutti i malware per il povero Androide (dopo i casi di Geinimi e HongTouTou), ovvero la Cina. Forti dubbi mi sono venuti da questa illustrazione che ho trovato sul Blog Symantec, ma poi scavando nella Rete ho scoperto che nelle stesse ore una azienda di sicurezza Cinese (guarda a caso) Netquin ha scoperto due varianti (chiamate SW.SecurePhone e SW.Qieting) presumibilmente riconducibili al malware rilevato da Symantec.

Devo ammettere che il dubbio che siano proprio le aziende d’Oriente a mettere in circolazione le infezioni per l’Androide non si è ancora completamente dissolto…

Follow

Get every new post delivered to your Inbox.

Join 3,172 other followers