Several recent developments in mobile malware are conspiring to raise the threat level for Android users, making it easier for attackers to convert legitimate applications into malicious apps and to undermine the technology that security experts use to tell the difference.
Last week, Symantec warned about a new malware toolkit or “binder” designed to Trojanize legitimate Android apps with a backdoor that lets miscreants access infected mobile devices remotely. Binders have been around in a variety of flavors for many years, but they typically are used to backdoor Microsoft Windows applications.
Symantec notes that the point-and-click Androrat APK Binder is being used in conjunction with an open-source remote access Trojan for Android devices called called AndroRAT. “Like other RATs, it allows a remote attacker to control the infected device using a user friendly control panel,” Symantec’s Andrea Lelli wrote. “For example, when running on a device, AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device.”
The company said while it has detected only a few hundred AndroRAT infections worldwide, but that it expects that number increase as more tools for AndroRAT like the APK binder emerge.
Perhaps more worryingly, Symantec said this week that it had discovered two malicious Android apps in the wild that take advantage of a newly discovered and potentially quite serious security hole in Android applications. As first outlined roughly two weeks ago by researchers at BlueBox Security, the so-called “Master Key” vulnerability could let attackers convert almost any Android application into a Trojan, all without altering its cryptographic digital signature. Android uses these signatures to determine if an app is legitimate and to verify that an app hasn’t been tampered with or modified.
According to BlueBox, the bug affects any Android device released in the last four years — nearly 900 million devices. BlueBox said that it privately shared the details of the bug with Google in February 2013, but that it’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). “The availability of these updates will widely vary depending upon the manufacturer and model in question,” BlueBox’s Jeff Forristal wrote in a blog post announcing their research. Forristal added that more details on the flaw will be released next week at the Black Hat security conference in Las Vegas.
Mobile users who rely on Apple’s iOS to keep them safe from malicious apps may be feeling safe by comparison, but two other recent developments could have security implications for iOS users. For starters, Apple disclosed on Sunday that intruders had hacked into its developer Web site, and may have made off with the names, mailing address and/or email addresses of its app developers. An independent researcher later claimed responsibility for the incident, saying he alerted Apple and had no malicious intent other than demonstrating access to the data, but such information could be very useful to miscreants looking to attack and compromise the systems of iOS app developers.
Next week’s Black Hat conference will feature a talk on a cross-platform mobile vulnerability; smartcard researcher and cryptography expert Karsten Nohl will discuss ways to remotely gain control over and also clone certain mobile SIM cards. It’s not clear how many different mobile providers may be affected by this flaw, but for now it looks like AT&T and Verizon phones are not vulnerable.
One final note: For those readers who are subscribed to my email newsletter on a Gmail account, Google’s new inbox approach buries my newsletters in its “promotions” tab; to receive my newsletter normally, move it to your primary Gmail inbox and that choice should stick going forward. Alternatively, click the plus icon (+) next to the promotions tab and de-select all of the checked boxes to return your Gmail to its previous configuration without the tabs approach.