Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
1/14/2013
11:48 PM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Android Mobile Malware Found In The Wild

Finding it hard to believe that mobile malware really exists because you haven't seen it?

A couple of weeks ago, SophosLabs Insights posted an advisory about mobile malware detections increasing, and they still are.

While attending an innocent birthday party for a 4-year-old, a friend (we will call Agent P to protect her identity) was showing me something on her 6-month-old Samsung Galaxy S II.

After we watching a video, I asked Agent P if she has any antivirus software on her Galaxy S II. For a moment Agent P thought about it, and she responded that she does, but couldn't recall which one.

We then proceeded to install a brand of free mobile antivirus software I use. As the scan started, right away not-so-innocent mobile malware was detected! That was fast!

Agent P was surprised that her smartphone was harboring mobile malware when she believed that there was antivirus software already installed. Perhaps it wasn't up to date? We didn't investigate.

This family of mobile malware detected by SophosLabs is called Andr/NewYearL-B (also known as CounterClank). Some labs don't consider this to be malware as much as a Potentially Unwanted Application (PUA), as you will read about shortly. We found Andr/NewYearkL-B hiding in an Android app called Brightest Flashlight Free version 2.3.3.

In an effort to understand how the malware got there, when asked about which markets Agent P get her apps from, she responded with, "Google." I asked her if she goes to other markets for apps, and Agent P made it clear that she only downloads apps from Google Play -- which is the proper thing to do.

We looked at the permissions accessible by the Brightest Flashlight Free, and this is what we found:

Storage

  • modify or delete the contents of your USB storage
System Tools
  • prevent phone from sleeping
  • install shortcuts
  • uninstall shortcuts
  • read Home settings and shortcuts
Your Location
  • approximate (network-based) location
  • precise (GPS) location
Hardware controls
  • take pictures and videos
  • control flashlight
Other
  • disable or modify status bar
Development tools
  • test access to protect storage
Phone calls
  • read phone status and identity
Network communication
  • view network connections
  • full network access
  • view W-Fi connections

Perhaps it's my ignorance, but would anything related to storage, system tools, your location, camera, development tools, phone calls, and network communication be ridiculously more accessible to the smartphone capabilities than what a flashlight app would require?

The brightest moment of our day was uninstalling the infected version of Brightest Flashlight Free. We hoped that not too much of Agent P's personal information was siphoned back to the cybercriminals. She does understand there is a high probability of data loss since the app had enough time to do its dirty deeds. Fortunately, this is a personal device without any company confidential or ePHI data.

Considering the reputation of the app, it has a very high rating in the Google Play store, which is a very good gauge to measure the user satisfaction and cleanliness of an app. After a couple of minutes of reading negative reviews, I found that while these reviews don't use terms, such as malware or virus, they describe malware behavior.

"No reason that this app should constantly run in the background when not in use."

"It always freezes my phone. I always have to restart it."

"Ok app, but why all the invasive permissions. .. Take pictures? Location? UNINSTALLED"

"Began scanning my phone without permission and offering security fixes when I used the light. !"

Our advice is don't let down your guard; only download from Google Play, check the reviews, don't root your Android, and get protection proactively before the lesson learned by Agent P.

Mobile malware is real, and it can even be found at a 4-year-old's birthday party. But it can be controlled.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Messany
50%
50%
Messany,
User Rank: Apprentice
1/21/2013 | 3:26:26 AM
re: Android Mobile Malware Found In The Wild
Android is attracting malware like sh%t attracts flies. Don't give mobile ad networks a pass on this either. They have been way too lax in their efforts to curb the spread of this crap. Would like to see more of what Airpush is doing. As a mobile ad network inside the ecosystem that is evidently being plagued most by malware, they've been very responsible in how they do business. Everyone needs to be held to this same standard. http://blog.airpush.com/how-ai...
tholyoak
50%
50%
tholyoak,
User Rank: Apprentice
1/17/2013 | 6:37:35 PM
re: Android Mobile Malware Found In The Wild
If you're going to use an app store in your security strategy, Amazon is probably safer than Google Play. Google Play will let anyone submit an app (as long as they're willing to pay their $25), and it's live almost instantly. On the other hand, Amazon actually tests apps before they add them.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.