Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
1/14/2013
11:48 PM
Dark Reading
Dark Reading
Security Insights
50%
50%

Android Mobile Malware Found In The Wild

Finding it hard to believe that mobile malware really exists because you haven't seen it?

A couple of weeks ago, SophosLabs Insights posted an advisory about mobile malware detections increasing, and they still are.

While attending an innocent birthday party for a 4-year-old, a friend (we will call Agent P to protect her identity) was showing me something on her 6-month-old Samsung Galaxy S II.

After we watching a video, I asked Agent P if she has any antivirus software on her Galaxy S II. For a moment Agent P thought about it, and she responded that she does, but couldn't recall which one.

We then proceeded to install a brand of free mobile antivirus software I use. As the scan started, right away not-so-innocent mobile malware was detected! That was fast!

Agent P was surprised that her smartphone was harboring mobile malware when she believed that there was antivirus software already installed. Perhaps it wasn't up to date? We didn't investigate.

This family of mobile malware detected by SophosLabs is called Andr/NewYearL-B (also known as CounterClank). Some labs don't consider this to be malware as much as a Potentially Unwanted Application (PUA), as you will read about shortly. We found Andr/NewYearkL-B hiding in an Android app called Brightest Flashlight Free version 2.3.3.

In an effort to understand how the malware got there, when asked about which markets Agent P get her apps from, she responded with, "Google." I asked her if she goes to other markets for apps, and Agent P made it clear that she only downloads apps from Google Play -- which is the proper thing to do.

We looked at the permissions accessible by the Brightest Flashlight Free, and this is what we found:

Storage

  • modify or delete the contents of your USB storage
System Tools
  • prevent phone from sleeping
  • install shortcuts
  • uninstall shortcuts
  • read Home settings and shortcuts
Your Location
  • approximate (network-based) location
  • precise (GPS) location
Hardware controls
  • take pictures and videos
  • control flashlight
Other
  • disable or modify status bar
Development tools
  • test access to protect storage
Phone calls
  • read phone status and identity
Network communication
  • view network connections
  • full network access
  • view W-Fi connections

Perhaps it's my ignorance, but would anything related to storage, system tools, your location, camera, development tools, phone calls, and network communication be ridiculously more accessible to the smartphone capabilities than what a flashlight app would require?

The brightest moment of our day was uninstalling the infected version of Brightest Flashlight Free. We hoped that not too much of Agent P's personal information was siphoned back to the cybercriminals. She does understand there is a high probability of data loss since the app had enough time to do its dirty deeds. Fortunately, this is a personal device without any company confidential or ePHI data.

Considering the reputation of the app, it has a very high rating in the Google Play store, which is a very good gauge to measure the user satisfaction and cleanliness of an app. After a couple of minutes of reading negative reviews, I found that while these reviews don't use terms, such as malware or virus, they describe malware behavior.

"No reason that this app should constantly run in the background when not in use."

"It always freezes my phone. I always have to restart it."

"Ok app, but why all the invasive permissions. .. Take pictures? Location? UNINSTALLED"

"Began scanning my phone without permission and offering security fixes when I used the light. !"

Our advice is don't let down your guard; only download from Google Play, check the reviews, don't root your Android, and get protection proactively before the lesson learned by Agent P.

Mobile malware is real, and it can even be found at a 4-year-old's birthday party. But it can be controlled.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Messany
50%
50%
Messany,
User Rank: Apprentice
1/21/2013 | 3:26:26 AM
re: Android Mobile Malware Found In The Wild
Android is attracting malware like sh%t attracts flies. Don't give mobile ad networks a pass on this either. They have been way too lax in their efforts to curb the spread of this crap. Would like to see more of what Airpush is doing. As a mobile ad network inside the ecosystem that is evidently being plagued most by malware, they've been very responsible in how they do business. Everyone needs to be held to this same standard. http://blog.airpush.com/how-ai...
tholyoak
50%
50%
tholyoak,
User Rank: Apprentice
1/17/2013 | 6:37:35 PM
re: Android Mobile Malware Found In The Wild
If you're going to use an app store in your security strategy, Amazon is probably safer than Google Play. Google Play will let anyone submit an app (as long as they're willing to pay their $25), and it's live almost instantly. On the other hand, Amazon actually tests apps before they add them.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.