Google has pulled at least 21 free applications from its Android Market late Tuesday after software developers found hidden malware aimed at gaining access to sensitive data.
The free applications included variety of games and were removed after bloggers questioned hidden malcode in them that attempted to gain root access to the user’s smartphone. Google removed the apps and references to their publisher, Myournet. within minutes of being informed of the problem.
According to Aaron Gingrich, who writes for the Andoid Police blog, the apps contained a variety of hidden features, including the ability to contact a remote server to download more malware.
“I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device,” Gingrich wrote.
“But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.”
The malware has been analyzed by mobile malware researchers at Lookout Inc. Called DroidDream, the malware has been discovered in more than 50 applications in the official Andoid Market. In an update on the Lookout blog, the company said Google is actively working on the issue. The Lookout DroidDream blog post also lists all the affected applications.
We originally reported that Google removed the apps from devices, but we recently learned that the remote removal system has not yet been engaged for these applications because they are under active investigation.
Up until now malware has been surfacing on apps on third-party Android app repositories. Google and Apple have removed Android and iPhone apps in the past for failing to comply with certain standards. While both mobile giants check apps for software quality and interaction with the smartphone OS, experts point out that they do not closely scrutinize applications for hidden malicious code and other security issues.]]>
Security researchers at mobile security firm Lookout Inc. have discovered a new Trojan designed to compromise smartphones running Google’s Android operating system.
The San Francisco-based firm is calling the new malware, “Geinimi” and said it can steal personal data on the user’s phone and send it to remote servers. Lookout said the Geinimi malware displays botnet-like capabilities by having the ability to receive commands from a remote command and control server.
The good news is that so far infections are limited to users who download mobile applications distributed via third-party Chinese Android application markets. The malware is integrated in certain games and requires user interaction, Lookout said.
The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions. Though the intent of this Trojan isn’t entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet.
Security researchers have been predicting that attackers will begin to use mobile malware to steal sensitive data stored on smartphones or sniff payment information as more and more users conduct banking and make purchases on their smarthphones. While researchers have demonstrated vulnerabilities in smartphones, including the Apple iPhone, only jailbroken devices have been targeted in limited attacks.
Some researchers believe vulnerabilities in applications could be the avenue of future attacks. A common misnomer is that the applications are vetted for security issues by major app store vendors, including Google, Apple, and Blackberry. In a recent interview, security expert Winn Schwartau of Mobile Active Defense said that is absolutely NOT the case.
Lookout said the Geinimi malware attempts to contact C&C servers in five minute intervals using one of ten embedded domain names. Lookout said the malware has the capabilities to send location coordinates of the device, the smartphone identifiers as well as a list of the applications installed on the victim’s device.
Graham Cluley, a security consultant with UK-based security vendor Sophos downplayed the threat posed by Geinimi. He said only users who deliberately change the settings on their phone to install software from “unknown sources” are at risk of infection.
So, the sky is not falling – and it’s not the end of the the world as we know it if you love all things Android. But Android users should still be sensible about security.
Attackers will target Apple devices in 2011 as well as the growing list of smartphones and tablets being introduced to the workplace, according to a new report from McAfee.
The Santa Clara, Calif-based security firm issued its 2011 Threat Predictions report today, outlining the top threats its researchers identified for the coming year. The security vendor said Apple will no longer fly under the radar. The growing popularity of iPads and iPhones has increased Apple’s marketshare and made the Mac OS platform and Apple’s mobile iOS software a growing target.
“The popularity of iPads and iPhones in business environments, combined with the lack of user understanding of proper security for these devices, will increase the risk for data and identity exposure, and will make Apple botnets and Trojans a common occurrence.”
Apple devices won’t be the only targets. The rising popularity of smartphones and tablet devices in the workplace will prompt attackers to target the devices to gain access to corporate data. Despite mobile malware being virtually non-existent, security researchers have seen malware target devices that have been jailbroken. McAfee said slow adoption of encryption on mobile devices and a fragile cellular infrastructure could put corporate data at a higher level of risk.
Social networking attacks will also become more extreme, according to McAfee researchers. URL-shortening services, which are used on Twitter and Facebook, combined with the high trust factor those social networks have, are making it easy for attackers to quickly spread phishing attacks and gain control of user accounts to spread malware and harvest sensitive data.
“The use of abbreviated URLs on sites like Twitter makes it easy for cybercriminals to mask and direct users to malicious websites. With more than 3,000 shortened URLs per minute being generated, McAfee Labs expects to see a growing number used for spam, scamming and other malicious purposes.”
In addition, the rising popularity of geolocation services used by social networks and mobile applications could make it easier for attackers to generate a highly targeted social engineering attack. The location services, which include Foursquare, Gowalla, Facebook Places and others can be used to track and plot a the location of users.
Geolocation certainly makes it easier to target individuals, but the growing use of Twitter has put some people at risk. At McAfee Focus 2010, Dave Marcus, director of security research and communications demonstrated several free, browser-based search platforms that can help an attacker chart a person’s location based on their Twitter posts. In a few short minutes, Marcus demonstrated how easy it was to identify several users and chart their route to work each morning, based on their Tweets.
“In just a few clicks, cybercriminals can see in real time who is tweeting, where they are located, what they are saying, what their interests are, and what operating systems and applications they are using.”
Other predictions include a growing number of malicious applications used in widely deployed media platforms, such as Google TV. While the applications may not be designed to steal data, they could leak personal information, including privacy and identity data, McAfee said. Like many smartphone applications, applications on media devices are not likely vetted for security and privacy. McAfee also said it expects botnet sophistication to increase with functionality to bypass security mechanisms and law enforcement monitoring.]]>
A security researcher demonstrating some of the weaknesses in mobile devices has chosen to target Blackberrys with new proof-of-concept code that could be used to listen to conversations, view messages and track users of the device.
Tyler Shields, a senior researcher at application security testing vendor, Veracode, demonstrated his code at the Shmoocon hacker conference last weekend in Washington, D.C. The malicious application is not stealthy and doesn’t pose a major threat to users for now. It can view contacts and messages, listen to conversations and track the location of the device using its GPS system.
Shields and Chris Eng, Veracode’s senior director of security research said the project is purely educational. It demonstrates that a savvy attacker could develop a malicious application and if it passes the screening processes of an application store, could find its way onto user devices.
Eng wrote on the Veracode research blog:
Our goal was to demonstrate how BlackBerry applications can access and leak sensitive information, using only RIM-provided APIs and no trickery or exploits of any sort … We make no assumptions about how the malicious application will be installed on the phone, and we haven’t attempted to sneak a malicious application into BlackBerry App World.
Called txsBBSpy, the code could be built into what appears to be an innocuous application. Once downloaded onto a device the application could quietly steal data, which could be sold on the black market. Applications that use stored data on a mobile device are required to ask permission, according to most OS maker terms and conditions. Veracode also posted a video demonstration of the Blackberry spyware app.
In addition, OS makers, Apple, Symbian, Google Android and Research in Motion typically test applications for stability issues before making them available for download. Eng said the process poses a false sense of security for users because the applications rarely undergo security testing.
Tighter IT policies restricting users from downloading applications could significantly reduce the risk, but according to Shields, most enterprises have an “allow-all” policy. Enterprises can also reduce the risk by investigating applications themselves and then creating an approved list of applications for end-users, he said.
A number of spyware applications are being sold online. FlexiSpy must be manually downloaded onto a device, but once installed it can listen to conversations, log SMS and email messages and track a user.
In December, Google removed dozens of suspicious applications that had potential to steal banking credentials from users, from its Android Market online application store. Several banks and credit unions warned customers of the potential for fraud using the applications. The apps used the names of banks without permission and many security experts said it could have been used in a phishing scheme, though there were no reports of fraud.]]>
In what could be one of the first signs that attackers are testing smartphones as another way to gain access to sensitive information, a Beaverton, Oregon credit union is warning its customers about a rogue Android application that attempts to set up online access to bank accounts.
The Android App has been removed from the Android marketplace, according to First Tech Credit Union. Called Droid09, the application didn’t target a specific financial institution. In a message to customers, the credit union said the app was designed to appear as a shell of a typical mobile banking app, but after a person configures their account information, it then tries to gain access to the victim’s financial information.
Smartphones running more powerful processors are now capable of handling ever more sophisticated applications. Apple, Research In Motion, Palm and now Google closely monitor the applications they make available to smartphone users. All four smartphone OS makers have a strict application approval process, but some security experts say it’s unclear exactly how closely the application is scrutinized. There’s no word on how the app made it through Google’s approval process, making it into the marketplace for Android OS phones.
Graham Cluley, a security consultant with UK-based security vendor, Sophos, blogged about the rogue Android application today. Apple heavily scrutinizes the applications developed for the iPhone and has been known to reject them for a variety of reasons. Its applications are also run sandbox-like, making it more difficult for an attacker to use an application as a loophole into the phone OS itself. Cluley said the only malware that has recently emerged targeting smartphones has been the iKee worm, which targeted jailbroken iPhones – a tiny fraction of Apple’s overall user base.
The Android marketplace, however, is not as closely monitored as Apple’s equivalent, and adopts a more “anything goes” philosophy. This, combined with the current buzz around new phones running Android such as the Motorola Droid and the Google Nexus One, may make the platform more attractive to cybercriminals in future.
With Apple’s rumored iSlate announcement anticipated at the end of the month, and a slew of tablet-like devices introduced at the recent Computer Electronics Show last week, attackers may be tempted to take a look at how those devices handle applications. It’s unclear whether those devices will be an extension of the smarthphone OSes and how easy it will be to develop applications for the tablet PCs. If users will have free reign to download and install anything they like and there’s enough marketshare, it’s a safe bet that cybercriminals will see money to be made.
Other security experts believe most cell phone users won’t have to worry about mobile malware for quite some time. PandaLabs security researcher Sean-Paul Correll said the cell phone market continues to be too fragmented. And he may be right, recent statistics suggest that even with the iPhone’s success and now Google’s Android OS, their marketshare isn’t significant enough for attackers. Even Symbian phones, which carry slightly more than 50% of the worldwide market, haven’t been targeted in great numbers.]]>
The popularity of smartphones from Apple’s super hot iPhone to Android and even BlackBerry devices have some security pros predicting a smartphone apocalypse. But new figures released this week by Nielsen Media Research reveals a highly fragmented U.S. mobile market with literally hundreds of different kinds of handsets. It may mean that malware authors could have a very difficult time gaining a foothold deep enough in the mobile market to make it lucrative.
With all of the iPhone popularity, Nielsen found the Apple 3G iPhone making up only 4% of the subscriber base. In a Nielsen chart outlining the Top 10 mobile phones in use in the United States, Research In Motion’s (RIM) BlackBerry shows up three times, but still only manages to make up about 6% of the subscriber base.
The issue, according to experts I’ve talked to, is that people tend to hold on to their cell phones for as long as possible or at a minimum until the end of their two year contract with their cellular service provider. In addition to 3G iPhones and BlackBerrys, the top 10 list reveals a smattering of Motorola phones. Samsung and LG phones took four spots on the list.
So, you say it doesn’t matter the kind of phone a person is using, it’s the underlying operating system. We’ll I turned to marketshare figures provided by Gartner showing Apple’s iPhone firmware skyrocketing. What does that mean? Well, it’s popularity has earned it about a 17% marketshare worldwide. Even the most popular OS – known for being targeted by phishing attacks via texting – Symbian – earns its place at about 50% of the worldwide market. RIM’s BlackBerry software platform, which is mainly popular in many enterprises, makes up about 20% of the global market, according to Gartner’s marketshare figures.
This leads me to think the fear and loathing we hear about 2010 being the year of smartphone malware may be overstated. If there’s anything I’ve learned in the relatively short time I’ve been covering the security industry, it’s that malware authors have shown throughout history they will always pick the low hanging fruit. It doesn’t take a lot of effort and there’s still a rather big payoff. A fragmented mobile phone market, further complicated with different cellular providers and different systems from country to country, may shelter smartphones from being actively targeted.
That’s not to say we shouldn’t keep an eye on the market. Security researchers should continue to turn their attention to the rising use of smartphones and the more powerful the memory and processors being packed into the tiny devices. SRI International released an analysis this week of the iPhone botnet created by the iKee worm, which targeted jailbroken iphones in November.
In fact, the SRI researchers make a good case for the importance of the research:
Although the iKee.B botnet discussed here admittedly offers a rather limited growth potential, iKee.B nevertheless provides an interesting proof of concept that much of the functionality we have grown to expect from PC-based botnets can be easily migrated into a light-weight smartphone application. … While it is unclear just how well prepared smartphone users are to this new reality, it is clear that malware developers are preparing for this new reality right now.
There’s no excuse for not being prepared.]]>