Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
12/5/2012
01:20 AM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Android Riskier Than PCs: Sophos Security Threat Report 2013

Acceleration of BYOD and cloud, challenges caused by ransomware, continued threats coming from Blackhole, and what to expect in 2013

Annual security threat reports are expected from security companies, while security professionals chomp at the bit to read the research findings.

Sophos recently made its report available for public consumption. The report contains information about new platforms and changing threats, Blackhole, Java, Android as a target, ransomware is back, OS X and the Mac, cybercriminals taken down in 2012, polymorphic and targeted attacks, and what to expect in 2013.

The report opens immediately covering the Blackhole Exploit Kit's 2.0 growing success, which is a crime pack that is taking advantage of software-as-a-service (SaaS) for cybercriminals to rent time to deliver malware during their campaigns. Blackhole Exploit Kit (BHEK) was found representing 27% of the exploited sites and redirects. Redirects are when legitimate websites become compromised and send the user's Web browser to Blackhole for delivering a polymorphic payload.

As stated in the report, "[Blackhole] combines remarkable technical dexterity with a business model that could have come straight from a Harvard Business School MBA case study." That doesn't bode well for security professionals thwarting off cybercriminals and, even worse, for home users.

Bar Chart: Android Threats Accelerate

The Sophos Security Threat Report will take you through the four stages of the Blackhole life cycle. I also recommend reading "Inside a Black Hole" from SophosLabs.

SophosLabs is hard at work tracking Blackhole to detect the changing exploit kit and to counter Blackhole's detection countermeasures. More details are provided in the report, including advice on how to protect your systems.

In 2012, social media sites such as Facebook, Pinterest, and Twitter, to name a few, are where billions of people flocked to provide their statuses, share media, and market their wares. They also were in the company of cybercriminals looking to socially engineer anyone they can in order to deliver malware or phish user account information. The objectives are clear: to steal personal information and deliver more malware.

Social media attacks won't subside in 2013, and they are targeting mobile platforms even more, primarily Android.

From a mobile malware standpoint, Android has become the biggest target, with 52.2 percent market share.

Gerhard Eschelbeck, Sophos' CTO, wrote in the report foreword: "While malware for Android was just a lab example a few years ago, it has become a serious and growing threat."

SophosLabs compiled the Android Threat Exposure Rate (TER), which found countries such as Australia, the U.S., and Germany having a higher percentage of Android devices that experienced a malware attack than PCs over a three-month period.

The report goes on to discuss examples of Android mobile malware techniques to send SMS messages for profit (Andr/Boxer), escalate privileges (i.e. the INSTALL_PACKAGES permission), join the Android device to a botnet (Andr/KongFu-L), and steal banking information (Andr/Zitmo).

Rooting an Android tablet or smartphone is a popular modification to the device for various personal reasons. SophosLabs says in the report, "Rooting bypasses the built-in Android security model that limits each app's access to data from other apps . It's easier for malware to gain full privileges on rooted devices, and to avoid detection and removal."

If mobile malware has an easier opportunity to gain full privileges on rooted devices, then the best advice is to block root devices from getting onto your protected networks.

Get more facts from the full report by downloading the Sophos Security Threat Report 2013 from Sophos directly, without the hassle of a gated registration page. How nice.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter at @DSchwartzberg

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.