Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
12/5/2012
01:20 AM
Security Insights
Security Insights
Security Insights
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Android Riskier Than PCs: Sophos Security Threat Report 2013

Acceleration of BYOD and cloud, challenges caused by ransomware, continued threats coming from Blackhole, and what to expect in 2013

Annual security threat reports are expected from security companies, while security professionals chomp at the bit to read the research findings.

Sophos recently made its report available for public consumption. The report contains information about new platforms and changing threats, Blackhole, Java, Android as a target, ransomware is back, OS X and the Mac, cybercriminals taken down in 2012, polymorphic and targeted attacks, and what to expect in 2013.

The report opens immediately covering the Blackhole Exploit Kit's 2.0 growing success, which is a crime pack that is taking advantage of software-as-a-service (SaaS) for cybercriminals to rent time to deliver malware during their campaigns. Blackhole Exploit Kit (BHEK) was found representing 27% of the exploited sites and redirects. Redirects are when legitimate websites become compromised and send the user's Web browser to Blackhole for delivering a polymorphic payload.

As stated in the report, "[Blackhole] combines remarkable technical dexterity with a business model that could have come straight from a Harvard Business School MBA case study." That doesn't bode well for security professionals thwarting off cybercriminals and, even worse, for home users.

Bar Chart: Android Threats Accelerate

The Sophos Security Threat Report will take you through the four stages of the Blackhole life cycle. I also recommend reading "Inside a Black Hole" from SophosLabs.

SophosLabs is hard at work tracking Blackhole to detect the changing exploit kit and to counter Blackhole's detection countermeasures. More details are provided in the report, including advice on how to protect your systems.

In 2012, social media sites such as Facebook, Pinterest, and Twitter, to name a few, are where billions of people flocked to provide their statuses, share media, and market their wares. They also were in the company of cybercriminals looking to socially engineer anyone they can in order to deliver malware or phish user account information. The objectives are clear: to steal personal information and deliver more malware.

Social media attacks won't subside in 2013, and they are targeting mobile platforms even more, primarily Android.

From a mobile malware standpoint, Android has become the biggest target, with 52.2 percent market share.

Gerhard Eschelbeck, Sophos' CTO, wrote in the report foreword: "While malware for Android was just a lab example a few years ago, it has become a serious and growing threat."

SophosLabs compiled the Android Threat Exposure Rate (TER), which found countries such as Australia, the U.S., and Germany having a higher percentage of Android devices that experienced a malware attack than PCs over a three-month period.

The report goes on to discuss examples of Android mobile malware techniques to send SMS messages for profit (Andr/Boxer), escalate privileges (i.e. the INSTALL_PACKAGES permission), join the Android device to a botnet (Andr/KongFu-L), and steal banking information (Andr/Zitmo).

Rooting an Android tablet or smartphone is a popular modification to the device for various personal reasons. SophosLabs says in the report, "Rooting bypasses the built-in Android security model that limits each app's access to data from other apps . It's easier for malware to gain full privileges on rooted devices, and to avoid detection and removal."

If mobile malware has an easier opportunity to gain full privileges on rooted devices, then the best advice is to block root devices from getting onto your protected networks.

Get more facts from the full report by downloading the Sophos Security Threat Report 2013 from Sophos directly, without the hassle of a gated registration page. How nice.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter at @DSchwartzberg

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web