About these ads

Archive

Posts Tagged ‘Android’

The Dangerous Liaisons (Updated)

August 22, 2011 1 comment

Did you know that a smartphone might involve as many as 250,000 patent claims? You may easily understand why the $ 4.5 billion auction to buy 6,000 Nortel patents by the consortium formed by Apple, Microsoft, Research in Motion, Sony Ericsson and EMC was so cruel. You may also easily understand why Google, the loser of the Nortel auction, decided to react immediately acquiring Motorola and its patent portfolio made of more than 17,000 approved patents (and another 7,500 patents filed and pending approval) for the large sum of $ 12.5 billion.

Said in few words, the mobile arena is getting more and more agressive and cruel. For this reason, a litte bit for curosity, a little bit for fun, I decided to draw a chart (and a table) showing all the moves of the giant players in this mobile chessboard. Although deliberately incomplete (I did not show in the table the patent saga of NTP Inc. against the rest of the world and the settlement of Motorola vs RIM), it gives a good idea of the dangerous intersections involving partnership, fees, alliances and, most of all, lawsuits… With the strange paradox that some companies (read Apple and Samsung) are enemies before the court, but in the same time business partners.

While visualizing the idea I stumbled upon this similar graph showing the status of the mobile arena on 8 Oct 2010. I decided to use the same layout, omitting some informations, but updating it to the current date. The graph is a little bit confusing, but the confusion of the arrows reflects betten than a thousand words the real situation.

Anyway the war will not stop here: the next targets? Interdigital Inc. with its 8,800 patents  which are attracting several bidders such as Apple, Nokia and Qualcomm; and, most of all, Kodak, whose survival depends on the auction of the 10% of its patent portfolio (1,100 patents), valued as high as $3 billion which are vital to compensate the losses estimated in $2.5 billion.

As far as the table is concerned, in order to avoid repetitions, it only shows the status of the lawsuits and alliances from the perspective of Google, Apple and Microsoft. Enjoy your read and the 250,000 patent claims on your smartphone!

Company Filed Suit Against Has technological alliance with Filed Suite From:
  No one (at least so far!)

Of course Google licensees his Mobile OS to HTC and Samsung (in rigorous alphabetical order), and it is the driver for the impressive market share growthof Samsung and HTC.

In an effort to defend Android’s Intellettual Property “to supercharge the Android ecosystem and will enhance competition in mobile computing”, on Aug 15 2011, Google announced the intention to acquire Motorola Mobility with a $12.5 billion deal. Motorola has nearly 17,000 patents.

Aug 12 2010: Oracle has filed suit against Google for infringing on copyrights and patents related to Java,. Oracle claimed Google “knowingly, directly and repeatedly infringed Oracle’s Java-related intellectual property”. Android uses a light proprietary Java Virtual Machine, Dalvik VM, which, according to Oracle infringes one or more claims of each of United States Patents Nos. 6,125,447; 6,192,476; 5,966,702; 7,426,720; RE38,104; 6,910,205; and 6,061,520.

The case is in U.S. District Court, Northern District of California, is Oracle America, Inc v. Google Inc, 10-3561.

The lawsuit is still pending and will likely take several months. The trial between Oracle and Google is expected to begin by November and Oracle is seeking damages “in the billions of dollars” from Google.

On Aug 1 2011, the judge overseeing the lawsuit Oracle filed over the Android mobile OS has denied Google’s attempt to get a potentially damaging e-mail redacted.

Mar 2 2010: Apple sued HTC for infringing on ten patents, nine of which involve technologies which apply to the iPhone, while one involves the use of gestures, but only in a specific use case.

The suit has been filed in the U.S. District Court in Delaware , alleging twenty instances of patent infringement. The company also petitioned the US  ITC to block the import of twelve phones designed and manufactured by HTC.

On Jul 15 2011 Apple won a preliminary patent ruling in an early judgment before the US ITC, in which HTC was found to have breached two of 10 patents held by Apple.

On Aug 8 2011 ITC  announced to have dediced to review Apple’s patent infringement complaint against HTC.

Oct 31 2010: In response to Motorola lawsuit against Apple, Apple sued Motorola and Motorola Mobility for Infringment on several Multi-Touch patents infringments in the Wisconsin Western District Court with two distinct lawsuits. A total of six patents are involved in the two lawsuits.

On Nov 23, 2010: US International Trading Commission announced to review Apple patent case against Motorola.

Apr 18 2011: Apple filed suit against Samsung for copying the design of its iPad and iPhone with its smartphones and tablets.

Aug 10 2011: European customs officers have been ordered to seize shipments of Samsung’s Galaxy Tab computers after the ruling late on Tuesday by a German patents court.

In the last days Apple has been accused of presenting inaccurate evidence against Samsung.

Aug 24 2011: Samsung has been banned from selling some galaxy phones in the Netherlands. The ban is set to begin on October 13, but Samsung doesn’t seem to be taking it too hard.

On Jul 1 2011 the intellectual property of the Canada giant Nortel (in Bankrupt), involving 6,000 patents, was sold for $4.5 billion, in a dramatic auction, to a consortium formed by Apple, Microsoft, RIM, Sony, EMC and Ericsson. Google was the other competitor (and the big looser) for the deal. This event acted as a trigger for the acquisition of Motorola Mobility by Google.

On Aug 3 2011, In a post to the Official Google Blog, Google Senior Vice President and Chief Legal Officer David Drummond said that Apple, Microsoft, Oracle, and others have waged “a hostile, organized campaign against Android” by snapping up patents from Novell and Nortel and asking Google for high licensing fees for every Android device”, accusing them of Patent Bulying.

Curiously, Apple is one of the main technological partners of Samsung for displays and semi-conductors. Samsung produces Apple’s A4 systems-on-a-chip (SoC) and also the two companies collaborate for iPad displays (Apple is moving from LG to Samsung because oof quality issues of the former). Nevertheless the lawsuits between the two companies are compromising their relationships so that Apple is evaluating a new supplier (TSMC) for its A6 nexy generation chipset.

Oct 22 2009: Nokia sued Apple in Delaware court for infringing on  ten patents related to GSM, UMTS, and WLAN standards that Nokia states they established after investing more than EUR 40 billion in R&D over the last 20 years.

On Jun 14 2011 Apple agreed to pay between $300m and $600m to cover the 111m iPhones sold since its launch in 2007. Although the exact number was not specified, additional yearly fees could be part of the agreement.

On Jan 2010 Kodak sued Apple and RIM claiming Apple is infringing its 2001 patent covering technology that enables a camera to preview low-resolution versions of a moving image while recording still images at higher resolutions. The cases were filed in U.S. District Court in Rochester, N.Y., as well as the U.S. ITC.

On Apr 2010 Apple argues that some Kodak still and video camera products violate two of its patents

On Jul 2011: While Kodak’s claim is pending, the commission rules on Apple’s complaint and says Kodak’s digital-camera technology doesn’t violate Apple’s patents.

Oct 6 2010: Motorola sued Apple for patent infringement in three separate complaints; in district courts in Illinois and Florida and a separate complaint filed with the U.S. International Trade Commission. The suits covered 18 different patents, infiringed by Apple’s iPhone, iPad, iPod touch, and certain Mac computers.

The Motorola patents include wireless communication technologies, such as WCDMA (3G), GPRS, 802.11 and antenna design, and key smartphone technologies including wireless e-mail, proximity sensing, software application management, location-based services and multi-device synchronization.

Jan 12 2011: Microsoft has motioned for a summary judgment to block Apple from trademarking the phrase “app store,” as it filed with the U.S. Patent and Trademark Office (USPTO) on July 17, 2008.

Mar 30 2011: Microsoft filed a second objection to Apple’s enduring pursuit to trademark the phrase “app store hiring a linguist, Dr. Ronald Butters, to go head-to-head against Apple’s own hired linguist, Robert A. Leonard.

On Jul 1 2011 US ITC said Apple has violated two S3 Graphics Co. patents in its Mac OS X operating system, but not in the iOS platform. Although not directly related to Mobile, this ruling is meaningful since S3 has been acquired by HTC on Jul 6 2011 for $300 million in order to use their patents in the fight against Apple.

HTC expects final ruling on Apple-S3 graphics case in November.

On Aug 16 2011 HTC filed a new lawsuit against Apple in Delaware’s US District Court, in an escalation of the legal battle between the two smartphone giants. HTC accused Apple to have infringed three of HTC’s patents through its sale of devices including iPads, iPods, iPhones and Macintosh computers.

Oct 1 2010: Microsoft sued Motorola for patent infringement relating to the company’s Android-based smartphones. Microsoft filed its complaint with the International Trade Commission and in a Washington state district court. At issue are nine patents that deal with, among others, sending and receiving e-mail, managing and syncing calendars and contacts, and managing a phone’s memory.

Patent dispute will begin from Aug 21 2011, the hearing procedure can take up to 10 days, the judgment procedure is expected to reach the final verdict point only in March 2012.

Nov 9 2010: Microsoft sued again Motorola for charging excessive royalties on network technology used in Microsoft’s Xbox game system.

Feb 11 2011: a deal with the Devil, Microsoft and Nokia announce their plansto form a broad strategic partnership that would use their complementary strengths and expertise to create a new global mobile ecosystem.

Besides the alliances with Apple and RIM (see the corresponding cell), on May 12 2011 Microsoft has teamed up with HTC, Nokia and Sony Ericsson in Europe, filing a challenge seeking to invalidate Apple’s trademarks on the phrases “App Store” and “Appstore.”

Nov 11 2010: Motorola Mobility sued Microsoft with the U.S. District Courts for the Southern District of Florida and the Western District of Wisconsin alleging infringement of sixteen patents by Microsoft’s PC and Server software, Windows mobile software and Xbox products.

Motorola Mobility asked for the infringing devices to be barred from importation into the United States.

On Dec 21 2010, ITC has agreed to hear the complaint.


About these ads

Looking Inside a Year of Android Malware

August 14, 2011 2 comments

As you will probably know my Birthday post for Android Malware has deserved a mention from Engadget and Wired. Easily predictable but not for me, the Engadget link has been flooded by comments posted by Android supporters and adversaries, with possible trolls’ infiltrations, up to the point that the editorial staff has decided to disable comments from the article. The effect has been so surprising that someone has also insinuated, among other things, that I have been paid to talk s**t on the Android.

Now let me get some rest from this August Italian Sun and let me try to explain why I decided to celebrate this strange malware birthday for the Android.

First of all I want to make a thing clear: I currently do own an Android Device, and convinced, where possible, all my relatives and friends to jump on the Android. Moreover I do consider the Google platform an inseparable companion for my professional and personal life.

So what’s wrong? If you scroll the malware list you may easily notice that the malware always require an explicit consent from the user, so at first glance the real risk is the extreme trust that users put in their mobile devices which are not considered “simple” phones (even if smart), but real extensions of their personal and professional life.

You might say that this happens also for traditional devices (such as laptops), but in case of mobile devices there is a huge social and cultural difference: users are not aware to bring on their pocket dual (very soon four) cores mini-PCs and are not used to apply the same attention deserved for their old world traditional devices. Their small display size also make these devices particularly vulnerable to phishing (consider for instance the malware Android.GGTracker).

If we focus on technology instead of culture (not limiting the landscape to mobile) it easy to verify that the activity of developing malware (which nowadays is essentially a cybercrime activity) is a trade off between different factors affecting the potential target which include, at least its level of diffusion and its value for the attacker (in a mobile scenario the value corresponds to the value of the information stored on the device). The intrinsic security model of the target is, at least in my opinion, a secondary factor since the effort to overtake it, is simply commensurate with the value of the potential plunder.

What does this mean in simple words? It means that Android devices are growing exponentially in terms of market shares and are increasingly being used also for business. As a consequence there is a greater audience for the attackers, a greater value for the information stored (belonging to the owner’s personal and professional sphere) and consequently the sum of these factors is inevitably attracting Cybercrooks towards this platform.

Have a look to the chart drawing Google OS Market share in the U.S. (ComScore Data) compared with the number of malware samples in this last year (Data pertaining Market Share for June and July are currently not available):

So far the impact of the threats is low, but what makes the Google Platform so prone to malware? For sure not vulnerabilities: everything with a line of code is vulnerable, and, at least for the moment, a recent study from Symantec has found only 18 vulnerabilities for Google OS against 300 found for iOS (please do no question on the different age of the two OSes I only want to show that vulnerabilities are common and in this context Android is comparable with its main competitor).

Going back to the initial question there are at least three factors which make Android different:

  1. The application permission model relies too heavily on the user,
  2. The security policy for the market has proven to be weak,
  3. The platform too easily allows to install applications from untrusted sources with the sideloading feature.

As far as the first point is concerned: some commenters correctly noticed that apps do not install themselves on their own, but need, at least for the first installation, the explicit user consent. Well I wonder: how many “casual users” in your opinion regularly check permissions during application installation? And, even worse, as far as business users are concerned, the likely targets of cybercrime who consider the device as a mere work tool: do you really think that business users check app permission during installation? Of course a serious organization should avoid the associated risks with a firm device management policy before considering a wide deployment of similar devices, most of all among CxOs; but unfortunately we live in an imperfect world and too much often fashion and trends are faster (and stronger) than Security Policies and also make the device to be used principally for other things than its business primary role, hugely increasing risks.

This point is a serious security concern, as a matter of fact many security vendors (in my opinion the security industry is in delay in this context) offer Device Management Solution aimed to complete the native Application Access Control model. Besides it is not a coincidence that some rumors claim that Google is going to modify (enhance) the app permission security process.

As far as the second point is concerned (Android Market security policy), after the DroidDream affair, (and the following fake security update), it is clear that the Android Market Publishing (and Security) model needs to be modified, making it more similar to the App Store. There are several proposals in this context, of course in this place is not my intention to question on them but only to stress that the issue is real.

Last but not least Sideloading is something that makes Android very different from other platforms (read Apple), Apple devices do not allow to install untrusted apps unless you do not Jailbreak the devices. Android simply needs the user to flag an option (By The Way many vendors are opening their Android devices to root or alternate ROMs, consider for instance LG which in Italy does not invalidate the Warranty for rooted devices) or HTC which, on May 27, stated they will no longer have been locking the bootloaders on their devices.

So definitively the three above factors (together with the growing market shares) make Android more appealing for malware developers and this is not due to an intrinsic weakness of the platform rather than a security platform model which is mainly driven by the user and not locked by Manufacturer as it happens in case of Cupertino.

One Year Of Android Malware (Full List)

August 11, 2011 30 comments

Update August 14: After the list (and the subsequent turmoil) here is the Look Inside a Year Of Android Malware.

So here it is the full list of Android Malware in a very dangerous year, since August, the 9th 2011 up-to-today.

My birthday gift for the Android is complete: exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

Scroll down my special compilation showing the long malware trail which characterized this hard days for information security. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention.

As you will notice, the average impact is low, but, the number of malware is growing exponentially reaching a huge peak in July.

Let’s go in this mobile malware travel between botnets, sleepwalkers, biblic plagues and call Hijackers, and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

Date Description Features Overall Risk
Aug 9 2010
SMS.AndroidOS.FakePlayer.a

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

Aug 17 2010 AndroidOS_Droisnake.A

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Android MarketGPS Spy
Sep 14 2010 SMS.AndroidOS.FakePlayer.b

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

Oct 13 2010
SMS.AndroidOS.FakePlayer.c

Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense.

Dec 29 2010
Android.Geinimi

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

Botnet Like Features
Feb 14 2011
Android.Adrd AKA Android.HongTouTou

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Botnet Like Features
Feb 22 2011 Android.Pjapps

New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server.

Botnet Like Features
Mar 1 2011 Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A

The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools (rageagainstthecage and exploid) to root the phone

Android MarketBotnet Like FeaturesRoot

Mar 9 2011 Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Android MarketBotnet Like FeaturesRoot

Mar 20 2011 Android.Zeahache

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Android MarketRoot

Mar 30 2011 Android.Walkinwat

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user trying to discipline users that download files illegally from unauthorized sites.

May 9 2011

Android.Adsms AKA AndroidOS_Adsms.A

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

Android Market

May 11 2011

Android.Zsone AKA Android.Smstibook

Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected.

Android Market

May 22 2011

Android.Spacem

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

Android Market

Botnet Like Features

May 31 2011

Android.LightDD

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Android Market

Botnet Like Features

Jun 6 2011

Android/DroidKungFu.A AKA Android.Gunfu

Malware which uses the same exploit than DroidDream, rageagainstthecage, to gain root privilege and install the main malware component. Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package. The malware is moreover capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory. In few words, the device is turned into a member of a botnet.

Root

Botnet Like Features

Jun 9 2011

Android.Basebridge

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. When an infected application is installed, it attempts to exploit the udev Netlink Message Validation Local Privilege Escalation Vulnerability (BID 34536) in order to obtain “root” privileges.  Once running with “root” privileges it installs an executable which contains functionality to communicate with a control server using HTTP protocol and sends information such as Subscriber ID, Manufacturer and Model of the device, Version of the Android operating system. The Trojan also periodically connects to the control server and may perform the following actions: send SMS messages, remove SMS messages from the Inbox and dial phone numbers. The Trojan also contains functionality to monitor phone usage.

Botnet Like Features

Jun 9 2011

Android.Uxipp AKA Android/YZHCSMS.A

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. Again the threat is as an application for a Chinese gaming community. When executed, the Trojan attempts to send premium-rate SMS messages to several numbers and remove the SMS sent.
The Trojan sends device information, such as IMEI and IMSI numbers.

Android Market

Jun 10 2011

Andr/Plankton-A AKA Android.Tonclank 

This is a Trojan horse which steals information and may open a back door on Android devices. Available for download in the Android Market embedded in several applications, when the Trojan is executed, it steals the following information from the device: Device ID and Device permissions. The above information is then sent to a remote server from which  the Trojan downloads a .jar file which opens a back door and accepts commands to perform the following actions on the compromised device: copies all of the bookmarks on the device, copies all of the history on the device, copies all of the shortcuts on the device, creates a log of all of the activities performed on the device, modifies the browser’s home page, returns the status of the last executed command. The gathered information is then sent to a remote location.

Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.

Android Market

Botnet Like Features

Jun 15 2011

Android.Jsmshider

Trojan found in alternative Android markets that predominately target Chinese Android users. This Trojan predominantly affects devices with a custom ROM. The application masquerades as a legitimate one and exploits a vulnerability found in the way most custom ROMs sign their system images to install a secondary payload (without user permission) onto the ROM, giving it the ability to communicate with a remote server and receive commands. Once installed the second payload may read, send and process incoming SMS messages (potentially for mTAN interception or fraudulent premium billing subscriptions), install apps trasparently, communicate with a remote server using DES encryption.

Botnet Like Features

Jun 20 2011

Android.GGTracker

This trojan is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market. The Trojan, which targets users in the United States by interacting with a number of premium SMS subscription services without consent, is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent.  This can lead to unapproved charges to a victim’s phone bill. Android users are directed to install this Trojan after clicking on a malicious in-app advertisement, for instance a Fake Battery Saver.

Jul 1 2011

Android.KungFu Variants

Repackaged and distributed in the form of “legitimate” applications, these two variants are different from the original one by  re-implementing some of their malicious functionalities in native code and supporting two additional command and control (C&C) domains. The changes are possibly in place to make their detection and analysis harder.

The repackaged apps infected with the DroidKungFu variants are made available through a number of alternative app markets and forums targeting Chinese-speaking users.

RootBotnet Like Features
Jul 3 2011 AndroidOS_Crusewin.A AKA Android.Crusewind

Another example of a trojan which sends SMS to premium rate numbers. It also acts as a SMS Relay. It displays a standard Flash icon in the application list. The Trojan attempts to download an XML configuration file and uses it to retrieve a list of further URLs to send and receive additional data. The Trojan also contains functionality to perform the following actions: delete itself, delete SMS messages, send premium-rate SMS messages to the number that is specified in the downloaded XML configuration file, update itself.

Jul 6 2011

AndroidOS_SpyGold.A AKA Android.GoldDream

This backdoor is a Trojanized copy of a legitimate gaming application for Android OS smartphones. It steals sensitive information of the affected phone’s SMS and calls functions, compromising the security of the device and of the user. It monitors the affected phone’s SMS and phone calls and sends stolen information to a remote URL. It also connects to a malicious URL in order to receive commands from a remote malicious user.

Botnet Like Features

Jul 8 2011 DroidDream Light Variant

New variant of DroidDream Light in the Android Market, immediately removed by Google. Number of downloads was limited to 1000 – 5000. This is the third iteration of malware likely created by the authors of DroidDream.

Android Market

Botnet Like Features

Jul 11 2011

Android.Smssniffer AKA Andr/SMSRep-B/C AKA Android.Trojan.SmsSpy.B/C AKA Trojan-Spy.AndroidOS.Smser.a


ZiTMO arrives on Android!
This threat is found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

Jul 12 2011

Android.HippoSMS AKA Android.Hippo

Another threat found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

Jul 15 2011

Android.Fokonge

This threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Botnet Like Features

Jul 15 2011

Android/Sndapps.A AKA Android.Snadapps

Five Android Apps found in the official Android Market share a common suspicious payload which upload users’ personal information such as email accounts as well as phone numbers to a remote server without user’s awareness.

Android Market

Botnet Like Features

Jul 27 2011

Android.Nickispy

Trojan horse which steals several information from Android devices (for instance GPS Location or Wi-Fi position). For the first time on the Android Platform a malware is believed  to spy conversations.

Botnet Like Features

Jul 28 2011

Android.Lovetrap

Trojan horse that sends SMS messages to premium-rate phone number. When the Trojan is executed, it retrieves information containing premium-rate phone numbers from a malicious URL then sends premium-rate SMS messages. and attempts to block any confirmation SMS messages the compromised device may receive from the premium-rate number in an attempt to mask its activities. The Trojan also attempts to gather IMSI and location information and send the information to the remote attacker.

Aug2 2011

Android.Premiumtext

This is a detection for Trojan horses that send SMS texts to premium-rate numbers. These Trojan is a repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace. The package name, publisher, and other details will vary and may be taken directly from the original application..

Aug 9 2011

Android.NickiBot

It belongs to the same NickiSpy family. However, it is significantly different from its predecessor since it is fully controlled by SMS messages instead of relying on a hard-coded C&C server for instructions. In addition, NickiBot supports a range of bot commands, such as for (GPS-based) location monitoring, sound recording and (email-based) uploading, calllog collection, etc. It also has a check-in mechanism to a remote website. his threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Botnet Like Features

Legend

Parallel Market

Android MarketAndroid Market

Manual Install

Automatic Install of Apps

Send SMS or Calls to Premium Numbers

Botnet Like Features Server C&C

GPS SpyGPS Spyware

Root Root Access

Happy Birthday! One Year of Android Malware

August 9, 2011 2 comments

Exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

For this reason I decided to prepare a special birthday gift for the Android, that is a special compilation showing the long malware trail which characterized this day. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention. Moreover, as you will have probably noticed, the average impact is low, but, the number of malware is growing exponentially after June, this is the reason why I decided to divide my special compilation in two parts. Today is part I: from the beginning to May, the 31st 2011.

Let’s go in this mobile malware travel between botnets, sleepwalkers and biblic plagues and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

Date Description Features Overall Risk
Aug 9 2010
SMS.AndroidOS.FakePlayer.a

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

Aug 17 2010 AndroidOS_Droisnake.A

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Android MarketGPS Spy
Sep 14 2010 SMS.AndroidOS.FakePlayer.b

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

Oct 13 2010
SMS.AndroidOS.FakePlayer.c

Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense.

Dec 29 2010
Android.Geinimi

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

Botnet Like Features
Feb 14 2011
Android.Adrd AKA Android.HongTouTou

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react  based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Botnet Like Features
Feb 22 2011 Android.Pjapps

New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server.

Botnet Like Features
Mar 1 2011 Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A

The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools  (rageagainstthecage and exploid) to root the phone

Android MarketBotnet Like FeaturesRoot

Mar 9 2011 Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Android MarketBotnet Like FeaturesRoot

Mar 20 2011 Android.Zeahache

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Android MarketRoot

Mar 30 2011 Android.Walkinwat

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user  trying to discipline users that download files illegally from unauthorized sites.

May 9 2011

Android.Adsms AKA AndroidOS_Adsms.A

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

Android Market

May 11 2011

Android.Zsone AKA Android.Smstibook

Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected.

Android Market

May 22 2011

Android.Spacem

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

Android Market

Botnet Like Features

May 31 2011

Android.LightDD

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Android Market

Botnet Like Features

Legend

Parallel Market

Android MarketAndroid Market

Manual Install

Automatic Install of Apps

Send SMS or Calls to Premium Numbers

Botnet Like Features Server C&C

GPS SpyGPS Spyware

Phonarchy in the U.K.

July 15, 2011 1 comment

It looks like that the Perfidious Albion is not what one should exactly define a Paradise for Mobile Security. Not only the echoes of the Scandal concerning “voicemail hacking” led the infamous tabloid News Of the World to close on Sunday, the 10th of July 2011, and Rebekah Brooks to resign as CEO of News International today; but also the flow of events has unexpectedly brought mobile security issues to the attention of a wider audience, no more confined to the sole and exclusive attention of information security professionals.

This is partially due to the relative easiness in implementing similar hacking techniques in mobile communications, which is raising doubts and misgivings in many other countries. As a matter of fact, as actually happened, voicemail hacking is relatively easy to implement and is based, as usual, on two factors:

  • From the user perspective, on the poor attention for default (in)security settings;
  • From the operator perspective, on the necessary trade-off between security, user experience, and convenience, (almost) always favoring the latter, which turns out not to be an optimal choice from a security perspective.

A lethal mix wich may be quite easily exploited by a balanced blend made of (little) hacking and (a lot of) social engineering. At this link a really complete and interesting description very helpful to understand how relatively easy is to perform voicemail hacking with some U.K. operators (but keep in mind that procedures vary from Operator to Operator). Accorrding to the above quoted article, in theory, it is possible to elude the meshes of the security procedures of the operators, simply calling the voicemail of the victim impersonating the legitimate user, claiming to have forgotten the PIN and voila, that’s it!

Voicemail hacking does not need further components, but unfortunately is not the only issue that may happen: in theory entire conversations may be hijacked (and unfortunately it is something we are quite familiar to, here in Italy). The Security Process of a phone conversations is an end-to-end chain, inside which technology is only a component, and the human factor is the weakest link. In this context weak means leak so that often it happens that some information that should not be disclosed are delivered to media (even if irrelevant to any ongoing investigations) with devastating aftermaths for investigations themselves and for victims’ privacy.

The scenario is further complicated with the new generation of smartphones, where technology (and the ongoing process of Consumerization of Information Technology) leaves virtually no limits to the imagination of attackers: not only voicemail hacking, but also mobile malware (a threat which does not need the unintended cooperation of the Operator) capable of extracting any information from devices. The dramatic events in U.K. involved using stolen data for squalid journalistic purposes, but, since mobile devices are nowadays indispensable companions of our everyday lives, nothing prevents, in theory, to use the same or different methods to steal other kinds of information such as confidential data, banking transaction identifiers, etc… Do you really need a confirm? For instance the recent evolution of the Infamous ZiTMo mobile malware that has just landed on Android (the continuing metamorphosis of this malware is really meaningful: born on the Windows platform, it has rapidly spread on Windows CE, Symbian, and now, last but not least, Android). Since it is expected that 5.6% of iPhones/Android handsets is going to be infected in the next 12 months, there is much to worry. In this context what happened in U.K. may constitute a dangerous precedent and a dramatic source of inspiration for organized cybercrime.

Fears that similar occurrences could happen in other countries are rapidly spreading. As a consequence some countries are moving fast to prevent them.

In the U.S., in wake of U.K. Hacking, Representative Mary Bono Mack, a California Republican who chairs the House subcommittee on commerce, manufacturing and trade, is contacting handset manufacturer companies including Apple, Google, Research in Motion, and wireless companies as well, such as AT&T, Verizon Wireless and Sprint Nextel, to determine if there are any vulnerabilities in cell phones or mobile devices which can be exploited by criminals and other unscrupulous individuals. Clearly the final target is to prevent similar events from ever happening in the United States.

For the Chronicle, on June 13 Bono Mack released draft legislation which aims to tighten data security for companies victims of data breaches. Under the proposal, companies that experience a breach that exposes consumer data would have 48 hours to contact law enforcement agencies and begin assessing the potential damage.

Immediately after U.S. Attorney General Eric Holder is considering investigation into News Corp. for the same reson.

Anyway U.S. is not the only country worried about, as similar concerns are raising in Canada, and I may easily imagine that other countries will soon deal the same stuff.

A final curious notice: a further confirm that U.K. is not the paradise for mobile security came this morning when I stumbled upon this wiki which happily shows how to hack a Vodafone femto cell (just released to public) in order to, among the other things, intercept traffic, perform call frauds (place calls or send SMS on on behalf of somebody else SIM card).

The best (or the worst, it depends on the points of view) is yet to come…

Consumerization Of Warfare 2.0

June 21, 2011 2 comments

It looks like the consumerization of warfare is unstoppable and getting more and more mobile. After our first post of Jume the 16th, today I stumbled upon a couple of articles indicating the growing military interest for consumer technologies.

Network World reports that the National Security Agency is evaluating the use of COTS (Commercial Off-The-Shelf) products for military purposes and is evaluating several different commercially available smartphones and tablets, properly hardened and secured. The final goal is to have four main devices, plus a couple of infrastructure support services. Meanwhile, trying to anticipate the NSA certification process, U.S. Marines are willing to verify the benefits of a military use of smartphones and consequently issued a Request For Information for trusted handheld platforms.

In both cases, the new technologies (smartphones and tablets) are preferred since they are able to provide, in small size and weight, the capability to rapidly access information in different domains (e.g., internet, intranet, secret), geolocation capabilities which are useful in situation awareness contexts, and , last but not least, the capability to connect with different media (eg, personal area network [PAN], wireless local area network [LAN], wide area network [WAN]).

Nevertheless, in a certain manner, the two approaches, albeit aiming to the same objective, are slightly different. NSA is evaluating the possibility to harden COTS in order to make them suitable for a military use, but since this process of hardening, certification and accreditation may take up to a couple of years, which is typically the life cycle of a commercial smartphone or tablet (it sounds quite optimistic since one year is an eternity for this kind of devices), the RFI issued by the Marines Corps is soliciting for system architectures and business partnerships that facilitate low-cost and high-assurance handhelds, where high-assurance means at least meeting the common criteria for evaluated assurance level (EAL) of 5+ or above. From this point of view the Marines’ approach seems closer to (and hence follows) the approach faced by the U.S. Army which is already testing iPhones, Android devices and tablets for us in war (a total of 85 apps, whose development took about $4.2 million, we could nearly speak about a Military iTunes or Military Android Market!).

But the adoption of consumer technologies does not stop here and will probably soon involve also the use of technologies closely resembling the Cloud. As a matter of fact, the NSA plans to develop in the near future a secure mobile capability, referred to as the “Mobile Virtual Network Operator,”, which will be be able to establish a way to provide sensitive content to the military and intelligence “in a way that roughly emulates what Amazon does with Kindle”, as stated by said Debora Plunkett, director of the NSA’s information assurance directorate, speaking at the Gartner Security and Risk Management Summit 2011 (but the NSA will not be the first to pilot this kind of technology since the NATO is already adopting Cloud Computing).

Probably this is only one side of the coin, I’m willing to bet that the consumerization of warfare will soon “infect” armies belonging to different countries and consequently the next step will be the development of weapons (read mobile military malware) targeted to damage the normal behavior of the military smartphones and tablets. On the other hand the Pentagon has developed a list of cyber-weapons, including malware, that can sabotage an adversary’s critical networks, so it is likely that these kind of weapons will soon affect mobile devices…

When Angry Birds eat Plankton

June 14, 2011 1 comment
Android Market

Image via Wikipedia

What happens when Angry Birds eat Plankton? Simple: they get Sick Birds, go to the Android Market and infect more devices with a bot-like malware.

The last malware inside the Android Market, dubbed Plankton, has been discovered by the same team which discovered DroidKungFu led by Xuxian Jiang, Assistant Professor at North Carolina State University. Although the brand new malware does not root the device, it has the bad habit to hide itself inside familiar apps related to the popular game Angry Birds. The suspected apps were removed on 6/5/2011, but since the malware leverages a new evasion technique which allowed it to stay in the market for more than 2 months without being detected by current mobile anti-malware software, but being downloaed more than 100.000 times.

Plankton is included in host apps by adding a background service: when the infected app runs, it will bring up the background service which collects information, including the device ID as well as the list of granted permissions to the infected app, and send them back to a remote server discovered by Sophos to be hosted in the Amazon Cloud.

The server replies with a URL that is used to download an additional JAR file with custom code that is loaded by the downloader.

Once the JAR file is downloaded, Plankton uses a technique for loading additional code from non-Market websites demonstrated by Jon Oberheide about a year ago, providing a potential attacker with a method of circumventing checks of application functionality by Google or by another Android Market provider.

The downloaded code launches another connection to the Command server and listens for commands to execute.

Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.

As a consequence the pressure on Google is building on two fronts: on one side, users are demanding better security and on the other side security vendors are asking for better operating system interfaces to make security software more effective against the ever-increasing tide of Android malware.

Follow

Get every new post delivered to your Inbox.

Join 3,174 other followers