Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
12/5/2012
01:20 AM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Android Riskier Than PCs: Sophos Security Threat Report 2013

Acceleration of BYOD and cloud, challenges caused by ransomware, continued threats coming from Blackhole, and what to expect in 2013

Annual security threat reports are expected from security companies, while security professionals chomp at the bit to read the research findings.

Sophos recently made its report available for public consumption. The report contains information about new platforms and changing threats, Blackhole, Java, Android as a target, ransomware is back, OS X and the Mac, cybercriminals taken down in 2012, polymorphic and targeted attacks, and what to expect in 2013.

The report opens immediately covering the Blackhole Exploit Kit's 2.0 growing success, which is a crime pack that is taking advantage of software-as-a-service (SaaS) for cybercriminals to rent time to deliver malware during their campaigns. Blackhole Exploit Kit (BHEK) was found representing 27% of the exploited sites and redirects. Redirects are when legitimate websites become compromised and send the user's Web browser to Blackhole for delivering a polymorphic payload.

As stated in the report, "[Blackhole] combines remarkable technical dexterity with a business model that could have come straight from a Harvard Business School MBA case study." That doesn't bode well for security professionals thwarting off cybercriminals and, even worse, for home users.

Bar Chart: Android Threats Accelerate

The Sophos Security Threat Report will take you through the four stages of the Blackhole life cycle. I also recommend reading "Inside a Black Hole" from SophosLabs.

SophosLabs is hard at work tracking Blackhole to detect the changing exploit kit and to counter Blackhole's detection countermeasures. More details are provided in the report, including advice on how to protect your systems.

In 2012, social media sites such as Facebook, Pinterest, and Twitter, to name a few, are where billions of people flocked to provide their statuses, share media, and market their wares. They also were in the company of cybercriminals looking to socially engineer anyone they can in order to deliver malware or phish user account information. The objectives are clear: to steal personal information and deliver more malware.

Social media attacks won't subside in 2013, and they are targeting mobile platforms even more, primarily Android.

From a mobile malware standpoint, Android has become the biggest target, with 52.2 percent market share.

Gerhard Eschelbeck, Sophos' CTO, wrote in the report foreword: "While malware for Android was just a lab example a few years ago, it has become a serious and growing threat."

SophosLabs compiled the Android Threat Exposure Rate (TER), which found countries such as Australia, the U.S., and Germany having a higher percentage of Android devices that experienced a malware attack than PCs over a three-month period.

The report goes on to discuss examples of Android mobile malware techniques to send SMS messages for profit (Andr/Boxer), escalate privileges (i.e. the INSTALL_PACKAGES permission), join the Android device to a botnet (Andr/KongFu-L), and steal banking information (Andr/Zitmo).

Rooting an Android tablet or smartphone is a popular modification to the device for various personal reasons. SophosLabs says in the report, "Rooting bypasses the built-in Android security model that limits each app's access to data from other apps . It's easier for malware to gain full privileges on rooted devices, and to avoid detection and removal."

If mobile malware has an easier opportunity to gain full privileges on rooted devices, then the best advice is to block root devices from getting onto your protected networks.

Get more facts from the full report by downloading the Sophos Security Threat Report 2013 from Sophos directly, without the hassle of a gated registration page. How nice.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter at @DSchwartzberg

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5452
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.

CVE-2014-6041
Published: 2014-09-02
The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.