About these ads

Archive

Posts Tagged ‘Lookout’

16-30 April 2013 Cyber Attacks Timeline

Here’s the second part of the April cyber attacks Timeline (Part I at this link)

The most remarkable event of this period has certainly been the breach suffered by Living Social potentially exposing 50 million customers of the e-commerce website. Other illustrious victims of the month include the mobile operator DoCoMo and the online reputation firm Reputation.com.

The wake of DDoS attacks has continued even in the second part of the month: once again several U.S. banks have fallen under the blows of the Izz ad-din al-Qassam Cyber Fighters.

Like in the first  half of the month, following a consolidating trend in this 2013, the Syrian Electronic Army has continued his wave of attacks against Twitter accounts (even the FIFA has been targeted). In one case, the hijacking of the Twitter account of Associated Press, the bogus tweets related to an alleged attack against the White House, the effect has crossed the boundaries of the cyber space (the Dow Jones Industrial Average fell 150 points, or about 1 percent, immediately following the tweet).

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

April 2013 Cyber Attacks Timeline Part II

Read more…

About these ads
Categories: Cyber Attacks Timeline, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

One Year Of Android Malware (Full List)

August 11, 2011 30 comments

Update August 14: After the list (and the subsequent turmoil) here is the Look Inside a Year Of Android Malware.

So here it is the full list of Android Malware in a very dangerous year, since August, the 9th 2011 up-to-today.

My birthday gift for the Android is complete: exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

Scroll down my special compilation showing the long malware trail which characterized this hard days for information security. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention.

As you will notice, the average impact is low, but, the number of malware is growing exponentially reaching a huge peak in July.

Let’s go in this mobile malware travel between botnets, sleepwalkers, biblic plagues and call Hijackers, and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

Date Description Features Overall Risk
Aug 9 2010
SMS.AndroidOS.FakePlayer.a

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

Aug 17 2010 AndroidOS_Droisnake.A

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Android MarketGPS Spy
Sep 14 2010 SMS.AndroidOS.FakePlayer.b

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

Oct 13 2010
SMS.AndroidOS.FakePlayer.c

Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense.

Dec 29 2010
Android.Geinimi

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

Botnet Like Features
Feb 14 2011
Android.Adrd AKA Android.HongTouTou

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Botnet Like Features
Feb 22 2011 Android.Pjapps

New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server.

Botnet Like Features
Mar 1 2011 Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A

The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools (rageagainstthecage and exploid) to root the phone

Android MarketBotnet Like FeaturesRoot

Mar 9 2011 Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Android MarketBotnet Like FeaturesRoot

Mar 20 2011 Android.Zeahache

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Android MarketRoot

Mar 30 2011 Android.Walkinwat

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user trying to discipline users that download files illegally from unauthorized sites.

May 9 2011

Android.Adsms AKA AndroidOS_Adsms.A

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

Android Market

May 11 2011

Android.Zsone AKA Android.Smstibook

Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected.

Android Market

May 22 2011

Android.Spacem

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

Android Market

Botnet Like Features

May 31 2011

Android.LightDD

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Android Market

Botnet Like Features

Jun 6 2011

Android/DroidKungFu.A AKA Android.Gunfu

Malware which uses the same exploit than DroidDream, rageagainstthecage, to gain root privilege and install the main malware component. Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package. The malware is moreover capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory. In few words, the device is turned into a member of a botnet.

Root

Botnet Like Features

Jun 9 2011

Android.Basebridge

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. When an infected application is installed, it attempts to exploit the udev Netlink Message Validation Local Privilege Escalation Vulnerability (BID 34536) in order to obtain “root” privileges.  Once running with “root” privileges it installs an executable which contains functionality to communicate with a control server using HTTP protocol and sends information such as Subscriber ID, Manufacturer and Model of the device, Version of the Android operating system. The Trojan also periodically connects to the control server and may perform the following actions: send SMS messages, remove SMS messages from the Inbox and dial phone numbers. The Trojan also contains functionality to monitor phone usage.

Botnet Like Features

Jun 9 2011

Android.Uxipp AKA Android/YZHCSMS.A

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. Again the threat is as an application for a Chinese gaming community. When executed, the Trojan attempts to send premium-rate SMS messages to several numbers and remove the SMS sent.
The Trojan sends device information, such as IMEI and IMSI numbers.

Android Market

Jun 10 2011

Andr/Plankton-A AKA Android.Tonclank 

This is a Trojan horse which steals information and may open a back door on Android devices. Available for download in the Android Market embedded in several applications, when the Trojan is executed, it steals the following information from the device: Device ID and Device permissions. The above information is then sent to a remote server from which  the Trojan downloads a .jar file which opens a back door and accepts commands to perform the following actions on the compromised device: copies all of the bookmarks on the device, copies all of the history on the device, copies all of the shortcuts on the device, creates a log of all of the activities performed on the device, modifies the browser’s home page, returns the status of the last executed command. The gathered information is then sent to a remote location.

Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.

Android Market

Botnet Like Features

Jun 15 2011

Android.Jsmshider

Trojan found in alternative Android markets that predominately target Chinese Android users. This Trojan predominantly affects devices with a custom ROM. The application masquerades as a legitimate one and exploits a vulnerability found in the way most custom ROMs sign their system images to install a secondary payload (without user permission) onto the ROM, giving it the ability to communicate with a remote server and receive commands. Once installed the second payload may read, send and process incoming SMS messages (potentially for mTAN interception or fraudulent premium billing subscriptions), install apps trasparently, communicate with a remote server using DES encryption.

Botnet Like Features

Jun 20 2011

Android.GGTracker

This trojan is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market. The Trojan, which targets users in the United States by interacting with a number of premium SMS subscription services without consent, is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent.  This can lead to unapproved charges to a victim’s phone bill. Android users are directed to install this Trojan after clicking on a malicious in-app advertisement, for instance a Fake Battery Saver.

Jul 1 2011

Android.KungFu Variants

Repackaged and distributed in the form of “legitimate” applications, these two variants are different from the original one by  re-implementing some of their malicious functionalities in native code and supporting two additional command and control (C&C) domains. The changes are possibly in place to make their detection and analysis harder.

The repackaged apps infected with the DroidKungFu variants are made available through a number of alternative app markets and forums targeting Chinese-speaking users.

RootBotnet Like Features
Jul 3 2011 AndroidOS_Crusewin.A AKA Android.Crusewind

Another example of a trojan which sends SMS to premium rate numbers. It also acts as a SMS Relay. It displays a standard Flash icon in the application list. The Trojan attempts to download an XML configuration file and uses it to retrieve a list of further URLs to send and receive additional data. The Trojan also contains functionality to perform the following actions: delete itself, delete SMS messages, send premium-rate SMS messages to the number that is specified in the downloaded XML configuration file, update itself.

Jul 6 2011

AndroidOS_SpyGold.A AKA Android.GoldDream

This backdoor is a Trojanized copy of a legitimate gaming application for Android OS smartphones. It steals sensitive information of the affected phone’s SMS and calls functions, compromising the security of the device and of the user. It monitors the affected phone’s SMS and phone calls and sends stolen information to a remote URL. It also connects to a malicious URL in order to receive commands from a remote malicious user.

Botnet Like Features

Jul 8 2011 DroidDream Light Variant

New variant of DroidDream Light in the Android Market, immediately removed by Google. Number of downloads was limited to 1000 – 5000. This is the third iteration of malware likely created by the authors of DroidDream.

Android Market

Botnet Like Features

Jul 11 2011

Android.Smssniffer AKA Andr/SMSRep-B/C AKA Android.Trojan.SmsSpy.B/C AKA Trojan-Spy.AndroidOS.Smser.a


ZiTMO arrives on Android!
This threat is found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

Jul 12 2011

Android.HippoSMS AKA Android.Hippo

Another threat found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

Jul 15 2011

Android.Fokonge

This threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Botnet Like Features

Jul 15 2011

Android/Sndapps.A AKA Android.Snadapps

Five Android Apps found in the official Android Market share a common suspicious payload which upload users’ personal information such as email accounts as well as phone numbers to a remote server without user’s awareness.

Android Market

Botnet Like Features

Jul 27 2011

Android.Nickispy

Trojan horse which steals several information from Android devices (for instance GPS Location or Wi-Fi position). For the first time on the Android Platform a malware is believed  to spy conversations.

Botnet Like Features

Jul 28 2011

Android.Lovetrap

Trojan horse that sends SMS messages to premium-rate phone number. When the Trojan is executed, it retrieves information containing premium-rate phone numbers from a malicious URL then sends premium-rate SMS messages. and attempts to block any confirmation SMS messages the compromised device may receive from the premium-rate number in an attempt to mask its activities. The Trojan also attempts to gather IMSI and location information and send the information to the remote attacker.

Aug2 2011

Android.Premiumtext

This is a detection for Trojan horses that send SMS texts to premium-rate numbers. These Trojan is a repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace. The package name, publisher, and other details will vary and may be taken directly from the original application..

Aug 9 2011

Android.NickiBot

It belongs to the same NickiSpy family. However, it is significantly different from its predecessor since it is fully controlled by SMS messages instead of relying on a hard-coded C&C server for instructions. In addition, NickiBot supports a range of bot commands, such as for (GPS-based) location monitoring, sound recording and (email-based) uploading, calllog collection, etc. It also has a check-in mechanism to a remote website. his threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Botnet Like Features

Legend

Parallel Market

Android MarketAndroid Market

Manual Install

Automatic Install of Apps

Send SMS or Calls to Premium Numbers

Botnet Like Features Server C&C

GPS SpyGPS Spyware

Root Root Access

Happy Birthday! One Year of Android Malware

August 9, 2011 2 comments

Exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

For this reason I decided to prepare a special birthday gift for the Android, that is a special compilation showing the long malware trail which characterized this day. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention. Moreover, as you will have probably noticed, the average impact is low, but, the number of malware is growing exponentially after June, this is the reason why I decided to divide my special compilation in two parts. Today is part I: from the beginning to May, the 31st 2011.

Let’s go in this mobile malware travel between botnets, sleepwalkers and biblic plagues and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

Date Description Features Overall Risk
Aug 9 2010
SMS.AndroidOS.FakePlayer.a

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

Aug 17 2010 AndroidOS_Droisnake.A

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Android MarketGPS Spy
Sep 14 2010 SMS.AndroidOS.FakePlayer.b

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

Oct 13 2010
SMS.AndroidOS.FakePlayer.c

Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense.

Dec 29 2010
Android.Geinimi

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

Botnet Like Features
Feb 14 2011
Android.Adrd AKA Android.HongTouTou

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react  based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Botnet Like Features
Feb 22 2011 Android.Pjapps

New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server.

Botnet Like Features
Mar 1 2011 Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A

The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools  (rageagainstthecage and exploid) to root the phone

Android MarketBotnet Like FeaturesRoot

Mar 9 2011 Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Android MarketBotnet Like FeaturesRoot

Mar 20 2011 Android.Zeahache

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Android MarketRoot

Mar 30 2011 Android.Walkinwat

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user  trying to discipline users that download files illegally from unauthorized sites.

May 9 2011

Android.Adsms AKA AndroidOS_Adsms.A

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

Android Market

May 11 2011

Android.Zsone AKA Android.Smstibook

Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected.

Android Market

May 22 2011

Android.Spacem

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

Android Market

Botnet Like Features

May 31 2011

Android.LightDD

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Android Market

Botnet Like Features

Legend

Parallel Market

Android MarketAndroid Market

Manual Install

Automatic Install of Apps

Send SMS or Calls to Premium Numbers

Botnet Like Features Server C&C

GPS SpyGPS Spyware

DroidDream is Back!

May 31, 2011 1 comment

There is a new nightmare on the Android Market, and again many Android devices are not going to have a good awakening.

The last security advice for the Google Mobile OS comes from Lookout, which has discovered a new variant of the infamous DroidDream, the first malware conveyed by the Official Android Market capable of infecting at the beginning  of March, according to Symantec, between 50.000 and 200.000 devices.

This time the brand new version, dubbed DroidDreamLight, was found in 26 repackaged applications from 5 different developers distributed in the Android Market. According to Lookout DroidDreamLight is no less than is “noble” predecessor, since was able to affect between 30.000 and 120.000 users.

According to Lookout, the malicious components of DroidDream Light are invoked on receipt of an android.intent.action.PHONE_STATE intent (e.g. an incoming voice call). As a consequence DroidDream Light does not depend on manual launch of the installed application to trigger its behavior.  The broadcast receiver immediately launches the <package>.lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages. It appears that the DDLight is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention.

The list of the infected applications (already removed from Google) is available at the original link. I must confess I could not help noticing the rich amount of “hot” applications, which confirm (unfortunately) to be a lethal weapon for carrying malware.

This event will raise again the concerns about the security policies on the Android Market, and about the apparently unstoppable evolution of the mobile threat landscape which has brought for the Android a brand new malware capable of sending data to a remote server. A further step closer to a mobile botnet even if, at least for this time, with limited capabilities of auto-installing packages,.

I will have to update my presentation, meanwhile do not forget to follow the guidelines for a correct mobile behavior:

  • Avoid “promiscuous” behaviours (perform rooting, sideloading or jaibreaking with caution, most of all in case of a device used for professional purpose);
  • Do not accept virtual candies from unkown virtual individuals, i.e. only install applications from trusted sources, always check the origin and their permissions during installation;
  • Beware of unusual behavior of the phone (DroidDream owes its name to the fact that he used to perform most of its malicious action from 11 P.M to 8 A.M.);
  • Beware of risks hidden behind social Network (see my post of yesterday on mobile phishing);
  • Use security software;
  • Keep the device updated.

L’Androide Minacciato Alla Radice

Questa mattina, il buongiorno non ce lo porta l’aroma di caffè e un bel croissant al burro, ma l’ennesima nota di Lookout che segnala l’ennesimo malware per il mai troppo cagionevole Androide. La minaccia viene ancora dall’Estremo Oriente, ed in particolare dalla Cina che si conferma terra ostica per la salute virtuale del Sistema Operativo di Mountain View (mi verrebbe da dire che l’Androide è proprio sensibile alla Cinese).

I sintomi usuali ci sono tutti: il Market Parallelo ed un eseguibile chiamato zHash, che ricalca l’orma del predecessore DroidDream, in grado di rootare (non è una parolaccia ma un improbabile improvvisato neologismo a cui dovremo purtroppo abituarci) il dispositivo mediante il medesimo exploit exploid.

Naturalmente, per non farsi mancare niente, è stata registrata una versione della stessa applicazione anche nel Market Ufficiale, con lo stesso nome, contenente quindi lo stesso exploit, ma priva del codice necessario per invocarlo. Magra consolazione in quanto è sempre meglio non avere il nemico in casa anche se dormiente.

Ad ogni modo l’applicazione, che sembra abbia avuto 5000 download, è stata già rimossa da Google che ha esercitato ancora una volta (sta diventando un’abitudine troppo frequente) la possibilità di disinstallare l’applicazione da remoto (ovviamente la rimozione “coatta” è stata attuata solo per le versioni scaricate dal market ufficiale).

Per inciso la pericolosità del malware sembra relativamente bassa. Ovviamente una volta che il terminale è stato compromesso illecitamente (all’insaputa dell’utente), potrebbe poi essere vittima di altre applicazioni malevole facenti leva sui permessi di root indebitamente acquisiti.

Per ora nessuna altra informazione, rimangono comunque valide le, mai troppo citate, usuali raccomandazioni:

  • Evitare, a meno che non sia strettamente necessario, di abilitare l’opzione di installazione delle applicazioni da Sorgenti Sconosciute (pratica definita anche “sideloading”).
  • Fare attenzione in generale a ciò che si scarica e comunque installare esclusivamente applicazioni da sorgenti fidate (ad esempio l’Android Market ufficiale, le cui applicazioni non sono infette). Buona abitudine è anche quella di verificare il nome dello sviluppatore, le recensioni e i voti degli utenti;
  • Controllare sempre i permessi delle applicazioni durante l’installazione. Naturalmente il buon senso corrisponde al migliore anti-malware per verificare se i permessi sono adeguati allo scopo dell’applicazione;
  • Fare attenzione ai sintomi comportamenti inusuali del telefono (ad esempio strani SMS o una sospetta attività di rete) che potrebbero essere indicatori di una possibile infezione;
  • A questo punto, aimé (e torniamo al tema da poco discusso relativo al costo della sicurezza, valutare una applicazione anti-malware tra le molteplici offertae, destinata oramai a diventare un inseparabile companion.

Un Androide Da Sogno… Anzi Da Incubo… Magari Alieno…

March 2, 2011 1 comment

Il sogno è quello del nuovo (ennesimo) malware che ha preso di mira il povero Androide (chiamato romanticamente DroidDream). L’incubo è questo scorcio di 2011 che si dimostra veramente un anno di passione per la creatura di Mountain View. L’Alieno è quello con cui l’Androide potrebbe ben presto infettare altri dispositivi (magari anche qualche bella Mela…)

Ma andiamo con ordine: l’ultimo allarme  di sicurezza in ordine di tempo proviene ancora una volta da Lookout (che dimostra una volta  in più di vederla lunga in fatto di mobile malware) ed è stato ripreso poco dopo da Symantec che lo ha invece battezzato il malware nuovo arrivato Android.Rootcager.

La differenza rispetto agli illustri predecessori d’oriente (Geinimi, HongTouTou e l’ultimo arrivato ) risiede nel fatto che questa volta il nemico è tra noi: la nuova minaccia è stata difatti abilmente celata dentro 50 applicazioni ufficiali, regolarmente mantenute nell’Android Market ufficiale. Secondo una stima di Symantec, addirittura, sono stati tra 50.000 e  200.000 gli utenti che hanno scaricato le applicazioni vettori di infezione nei  4 giorni in cui queste sono state nella cresta dell’onda, o sarebbe meglio dire nella cresta dell’onta di Google che se ne è accorta tardivamente e addirittura, secondo Lookout, non ha intrapreso subito azioni efficaci.

Tanto per cambiare il malware prende di mira i dati personali ed il primo utente ad accorgersi dell’anomalia è stato Lampolo, un utente del Social Network Reddit, che ha analizzato due applicazioni sospette, allarmato dal fatto che avessero cambiato nome dello sviluppatore. Analizzando le applicazioni sosepette, Lampolo ha scoperto al loro interno codice maligno in grado di scavalcare il recinto di sabbia di sicurezza (la famigerata sandbox)  in cui l’Androide dovrebbe far girare ile applicazioni impedendogli di accedere direttamente al sistema (ma d’altronde che il recinto di sabbia dell’Androide non sia il massimo della sicurezza non è una novità).

Un ulteriore blogger di Android Police, Justin Case, ha dato uno sguardo un po’ più da vicino alle applicazioni malevole e ha scoperto che il codice maligno è in grado di rootare il dispositivo, mediante lo strumento rageagainstthecage ben noto a chi ha come hobby quello di comprare un androide per prendergli subito la root. Una volta ottenuti i privilegi il malware è in grado di inviare (questa non me l’aspettavo proprio) informazioni sensibili del dispositivo (IMEI e IMSI) ad un server remoto. Il codice cela anche un ulteriore pacchetto APK nascosto all’interno del codice che è in grado di rubare ulteriori dati sensibili.

A questo link, (o quest’altro) la lista completa delle applicazioni infette, riconoscibili per essere riconducibili a tre autori ben precisi: “Kingmall2010″, “myournet” o “we20090202″. Chi non si sentisse particolarmente sicuro può controllare anche la presenza del servizio com.android.providers.downloadsmanager (DownloadManageService) tra i servizi in esecuzione.

Tutti questi mali di stagione sono solo eccezioni, ovvero coda di un Inverno che per l’Androide non sembra mai finire, oppure prefigurano quella che sarà una battaglia senza fine tra autori di malware e forze del bene?

Purtroppo propendo di più per la seconda ipotesi involontariamente rafforzata anche dal fatto che l’Androide, per semplificare la vita agli sviluppatori, utilizza una Java Virtual Machine (la famigerata Dalvik al centro di una causa contro l’Oracolo di Larry Ellison) per far girare il codice, evidenza architetturale che sicuramente aiuta gli sviluppatori, ma, per contro, potrebbe avere pesanti ripercussioni in termini di sicurezza. Il perchè è spiegato in questo articolo di McAfee: “Write Once, Mobile Malware Anywhere“, l’utilizzo di Macchine Virtuali per lo sviluppo ha implicitamente diversi benefici (o sarebbe meglio dire malefici) per il malware.

In effetti se si utilizza una macchina virtuale:

  • Si mantiene la compatibilità visto che le API rimangono le stesse;
  • E’ possibile riutilizzare il codice (alcune porzioni quali l’invio di SMS, il trasferimento Bluetooth, etc.) non devono essere riscritte;
  • Soprattutto rende il malware estremamente contagioso visto che può attaccare diversi dispositivi o Sistemi Operativi che utilizzino una macchina virtuale compatibile con l’originaria.

Poiché la macchina virtuale Dalvik potrebbe presto sbarcare su altri dispositivi,  ne consegue che ben preso l’Androide potrebbe diventare il paziente zero per altri dispositivi. Del lavoro di RIM per sviluppare una JavaVirtual Machine compatibile con l’Androide avevo già parlato in questo post, ora sembra che anche Myriad, un membro della Open Handset Alliance che collabora con Google per lo sviluppo di Android sia al lavoro per un Androide Alieno (ovvero una macchina virtuale compatibile con Dalvik definita scherzosamente Alien Dalvik) in grado di far girare applicazioni Android non modificate su piattaforme aliene, per giunta alla stessa velocità dell’androide nativo (dopo il danno del contagio la beffa della stessa velocità di propagazione dell’infezione).

Certo, conoscendo le politiche di Cupertino, dubito che vedremo mai una Macchina Virtuale Aliena nel cuore della Mela, ad ogni modo, tutto lascia comunque suppore che l’Androide possa diventare la piattaforma di riferimento (anche) per il malware con la conseguenza che  ben presto non dovremo più preooccuparci del solo malware mobile terrestre, ma anche di quello Alieno (molto più alieno di quello con cui Jeff Goldblum salva la Terra su Indipence Day).

La Sindrome Cinese

February 17, 2011 Leave a comment

Nel giorno in cui anche alla RSA Conference 2011 è stato ribadito che “E’ ora di prepararsi per le minacce mobili”, la Sindrome Cinese ha nuovamente colpito l’Androide che, in poche ore, è stato vittima di un nuovo malanno informatico. Ancora proveniente dalla Cina, ancora caratterizzato dal fatto di utilizzare come vettore di infezione un store di applicazioni parallelo cinese. A quanto pare quindi il malware Geinimi ha fatto proseliti.

A seguire le sue orme è oggi il malware HongTouTou (conosciuto anche con il nome di Android.Adrd o anche Android/Adrd.A nella sua ultima variante).

Le dinamiche di questo nuovo contagio dell’Androide Cagionevole (che alcuni ritengono essere una variante di Geinimi) sono le medesime, purtroppo collaudatissime, del suo illustre predecessore: il malware è rimpacchettato dentro applicazioni Android popolari e distribuito tramite market di applicazioni parallele e forum frequentati da utenti di lingua cinese. Ovviamente l’utente dovrebbe accorgersi dei permessi sospetti richiesti durante la fase di installazione.

Il malware, di cui sono state rilevate 14 istanze, è impacchettato dentro applicazioni lecite (tra cui il famosissimo Robo Defense con cui ho passato ore di riposo all’ombra di un ombrellone sotto il Sol Leone dell’Agosto passato). Una volta installata l’applicazione richiede i seguenti permessi, in realtà un po’ sospetti per un semplice passatempo o per un wallpaper:

android.permission.WRITE_APN_SETTINGS
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.ACCESS_NETWORK_STATE
android.permission.READ_PHONE_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.INTERNET
android.permission.MODIFY_PHONE_STATE

 

All’avvio dell’applicazione infetta,  il malware si insinua nel telefono colpito viene eseguito al verificarsi di una delle condizioni sottostanti:

  • Sono passate 12 ore dell’avvio del Sistema Operativo;
  • E’ cambiata la connettività di rete (ad esempio è stata persa e ristabilita);
  • Il dispositivo infetto riceve una chiamata.

All’avvio il Trojan tenta di rubare le seguenti informazioni;

  • 3gnet
  • 3gwap
  • APN
  • cmnet
  • cmwap
  • Hardware information
  • IMEI
  • IMSI
  • Network connectivity
  • uninet
  • uniwap
  • Wifi

e le invia cifrate ad una coppia di domini remoti:

http://adrd.taxuan.net/index
http://adrd.xiaxiab.com/pic.

 

In risposta, HongTouTou riceve una pagina Web, ed un insieme di parole chiave di ricerca da inviare come query. Le richieste vengono inviate ad alcuni link noti. Un esempio di stringa è la seguente:

wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID]

 

Lo scopo delle query è quello di incrementare il ranking e quindi la visibilità del sito Web.

A questo punto il malware emula il processo di richiesta utilizzando le parole chiave, analizza i risultati della ricerca con il ranking maggiore ed emula i click su specifici risultati, come se fosse l’utente ad effettuarli. Per il motore di ricerca truffato, le richieste sembrano provenire da un utente mobile che utilizza come browser il programma UCWeb Browser, “casualmente” un progamma di navigazione mobile “Made in China” (l’User-Agent corrisponde a J2ME/UCWEB7.4.0.57).

Il malware inoltre è in grado di scaricare pacchetti di installazione Android APK e quindi di autoaggiornarsi. Anche se ancora non è stato osservato sembrerebbe che il malware sia anche in grado di monitorare le conversazioni SMS e inserire contenuto inopportuno all’interno della conversazione SMS.

Ancor prima di dotarsi di una applicazione anti-malware mobile, come al solito le raccomandazioni sono sempre le stesse:

  • Evitare, a meno che non sia strettamente necessario, di abilitare l’opzione di installazione delle applicazioni da Sorgenti Sconosciute (pratica definita anche “sideloading”).
  • Fare attenzione in generale a ciò che si scarica e comunque installare esclusivamente applicazioni da sorgenti fidate (ad esempio l’Android Market ufficiale, le cui applicazioni non sono infette). Buona abitudine è anche quella di verificare il nome dello sviluppatore, le recensioni e i voti degli utenti;
  • Controllare sempre i permessi delle applicazioni durante l’installazione. Naturalmente il buon senso corrisponde al migliore anti-malware per verificare se i permessi sono adeguati allo scopo dell’applicazione;
  • Fare attenzione ai sintomi comportamenti inusuali del telefono (ad esempio SMS inusuali o una sospetta attività di rete) che potrebbero essere indicatori di una possibile infezione.

Aldilà delle raccomandazioni, applicabili in qualsiasi contesto, non posso fare a meno di notare che HongTouTou (o Android.Adrd) è il secondo malware per l’Androide proveniente dalla Cina in meno di due mesi. Poiché sovente i produttori cinesi di sicurezza sono  stati accusati di mettere in circolazione essi stessi il malware per promuovere i propri prodotti, mi domando a questo punto se certe scorciatoie non siano sbarcate anche nel mondo mobile…

Follow

Get every new post delivered to your Inbox.

Join 3,175 other followers