Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
1/14/2013
11:48 PM
Security Insights
Security Insights
Security Insights
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Android Mobile Malware Found In The Wild

Finding it hard to believe that mobile malware really exists because you haven't seen it?

A couple of weeks ago, SophosLabs Insights posted an advisory about mobile malware detections increasing, and they still are.

While attending an innocent birthday party for a 4-year-old, a friend (we will call Agent P to protect her identity) was showing me something on her 6-month-old Samsung Galaxy S II.

After we watching a video, I asked Agent P if she has any antivirus software on her Galaxy S II. For a moment Agent P thought about it, and she responded that she does, but couldn't recall which one.

We then proceeded to install a brand of free mobile antivirus software I use. As the scan started, right away not-so-innocent mobile malware was detected! That was fast!

Agent P was surprised that her smartphone was harboring mobile malware when she believed that there was antivirus software already installed. Perhaps it wasn't up to date? We didn't investigate.

This family of mobile malware detected by SophosLabs is called Andr/NewYearL-B (also known as CounterClank). Some labs don't consider this to be malware as much as a Potentially Unwanted Application (PUA), as you will read about shortly. We found Andr/NewYearkL-B hiding in an Android app called Brightest Flashlight Free version 2.3.3.

In an effort to understand how the malware got there, when asked about which markets Agent P get her apps from, she responded with, "Google." I asked her if she goes to other markets for apps, and Agent P made it clear that she only downloads apps from Google Play -- which is the proper thing to do.

We looked at the permissions accessible by the Brightest Flashlight Free, and this is what we found:

Storage

  • modify or delete the contents of your USB storage
System Tools
  • prevent phone from sleeping
  • install shortcuts
  • uninstall shortcuts
  • read Home settings and shortcuts
Your Location
  • approximate (network-based) location
  • precise (GPS) location
Hardware controls
  • take pictures and videos
  • control flashlight
Other
  • disable or modify status bar
Development tools
  • test access to protect storage
Phone calls
  • read phone status and identity
Network communication
  • view network connections
  • full network access
  • view W-Fi connections

Perhaps it's my ignorance, but would anything related to storage, system tools, your location, camera, development tools, phone calls, and network communication be ridiculously more accessible to the smartphone capabilities than what a flashlight app would require?

The brightest moment of our day was uninstalling the infected version of Brightest Flashlight Free. We hoped that not too much of Agent P's personal information was siphoned back to the cybercriminals. She does understand there is a high probability of data loss since the app had enough time to do its dirty deeds. Fortunately, this is a personal device without any company confidential or ePHI data.

Considering the reputation of the app, it has a very high rating in the Google Play store, which is a very good gauge to measure the user satisfaction and cleanliness of an app. After a couple of minutes of reading negative reviews, I found that while these reviews don't use terms, such as malware or virus, they describe malware behavior.

"No reason that this app should constantly run in the background when not in use."

"It always freezes my phone. I always have to restart it."

"Ok app, but why all the invasive permissions. .. Take pictures? Location? UNINSTALLED"

"Began scanning my phone without permission and offering security fixes when I used the light. !"

Our advice is don't let down your guard; only download from Google Play, check the reviews, don't root your Android, and get protection proactively before the lesson learned by Agent P.

Mobile malware is real, and it can even be found at a 4-year-old's birthday party. But it can be controlled.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Messany
50%
50%
Messany,
User Rank: Apprentice
1/21/2013 | 3:26:26 AM
re: Android Mobile Malware Found In The Wild
Android is attracting malware like sh%t attracts flies. Don't give mobile ad networks a pass on this either. They have been way too lax in their efforts to curb the spread of this crap. Would like to see more of what Airpush is doing. As a mobile ad network inside the ecosystem that is evidently being plagued most by malware, they've been very responsible in how they do business. Everyone needs to be held to this same standard. http://blog.airpush.com/how-ai...
tholyoak
50%
50%
tholyoak,
User Rank: Apprentice
1/17/2013 | 6:37:35 PM
re: Android Mobile Malware Found In The Wild
If you're going to use an app store in your security strategy, Amazon is probably safer than Google Play. Google Play will let anyone submit an app (as long as they're willing to pay their $25), and it's live almost instantly. On the other hand, Amazon actually tests apps before they add them.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web