July 24, 2013

Several recent developments in mobile malware are conspiring to raise the threat level for Android users, making it easier for attackers to convert legitimate applications into malicious apps and to undermine the technology that security experts use to tell the difference.

Source: Symantec

Source: Symantec

Last week, Symantec warned about a new malware toolkit or “binder” designed to Trojanize legitimate Android apps with a backdoor that lets miscreants access infected mobile devices remotely. Binders have been around in a variety of flavors for many years, but they typically are used to backdoor Microsoft Windows applications.

Symantec notes that the point-and-click Androrat APK Binder is being used in conjunction with an open-source remote access Trojan for Android devices called called AndroRAT. “Like other RATs, it allows a remote attacker to control the infected device using a user friendly control panel,” Symantec’s Andrea Lelli wrote. “For example, when running on a device, AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device.”

The company said while it has detected only a few hundred AndroRAT infections worldwide, but that it expects that number increase as more tools for AndroRAT like the APK binder emerge.

Perhaps more worryingly, Symantec said this week that it had discovered two malicious Android apps in the wild that take advantage of a newly discovered and potentially quite serious security hole in Android applications. As first outlined roughly two weeks ago by researchers at BlueBox Security, the so-called “Master Key” vulnerability could let attackers convert almost any Android application into a Trojan, all without altering its cryptographic digital signature. Android uses these signatures to determine if an app is legitimate and to verify that an app hasn’t been tampered with or modified.

According to BlueBox, the bug affects any Android device released in the last four years — nearly 900 million devices. BlueBox said that it privately shared the details of the bug with Google in February 2013, but that it’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). “The availability of these updates will widely vary depending upon the manufacturer and model in question,” BlueBox’s Jeff Forristal wrote in a blog post announcing their research. Forristal added that more details on the flaw will be released next week at the Black Hat security conference in Las Vegas.

applemessageAn unofficial patch for this vulnerability is available now for those Android users who are using a rooted device, See this announcement from Duo Security about that fix.

Mobile users who rely on Apple’s iOS to keep them safe from malicious apps may be feeling safe by comparison, but two other recent developments could have security implications for iOS users. For starters, Apple disclosed on Sunday that intruders had hacked into its developer Web site, and may have made off with the names, mailing address and/or email addresses of its app developers. An independent researcher later claimed responsibility for the incident, saying he alerted Apple and had no malicious intent other than demonstrating access to the data, but such information could be very useful to miscreants looking to attack and compromise the systems of iOS app developers.

Next week’s Black Hat conference will feature a talk on a cross-platform mobile vulnerability; smartcard researcher and cryptography expert Karsten Nohl will discuss ways to remotely gain control over and also clone certain mobile SIM cards. It’s not clear how many different mobile providers may be affected by this flaw, but for now it looks like AT&T and Verizon phones are not vulnerable.

One final note: For those readers who are subscribed to my email newsletter on a Gmail account, Google’s new inbox approach buries my newsletters in its “promotions” tab; to receive my newsletter normally, move it to your primary Gmail inbox and that choice should stick going forward. Alternatively, click the plus icon (+) next to the promotions tab and de-select all of the checked boxes to return your Gmail to its previous configuration without the tabs approach.


18 thoughts on “Toward A Greater Mobile Mal-Awareness

  1. Dave Stern

    If you want a secure phone, don’t use Android. It’s as simple as that. Android’s for poor people are people who don’t care about security and think that price is more important to them.

    Nothing is ever free in life.

    1. Peter

      But is Android any less secure than iOS for example? Or is it more the case that the issue is caused by being allowed to install software from anywhere.

      The main reason iOS is considered secure is that every app is checked and approved prior to being accepted. With android you can simply submit to a store that doesnt check apps.

      1. Graham

        Google checks every app in its store for malicious code. Android sandboxes running apps, scans apps before they are installed, and warns you of what every app has the capability to do.

        Android is far more secure than iOS, so long as you only use the play store.

        1. rb

          Graham – Can you supply actual data to back up your “far more secure than iOS” claim?

    2. James

      As long as you use the official android app store you will be relatively safe. The official app store scans all applications and can detect wither or not an app has been backdoored using recent signing key vulnerability. Dangers are only present when you use non official stores, but the same applies for iOS devices which are able to install apps from 3rd party stores.

      Saying Android phones are for poor people is very snobby and makes you sound like a pretentious twat.

      1. Bobo

        Thank you, James. Someone needed to say that.

    3. CooloutAC

      linux is free and they say its more secure then the very expensive microsoft windows no? I guess thats debateable though.

      I don’t think many people choose cellphones based on security . Although, ironically, I know many peole who prefer a cellphone because they think they are safer on it compared to their pc. I think thats pretty debateable too. I always refer people to that Tyra Banks episode from many years ago lol.

      Anybodies thoughts?

    4. David Stern

      I’m one of those ‘poor people’, guarantee I have more money than you. And, you are a horses behind.

    5. outlaw

      if you want a (software) secure phone try use an old dial phone

      1. anymouse

        Western Electric’s telephones all have outstanding security, whether rotary or Touch Tone. These old telephones also have the very best voice quality. Note that this does not include the foreign-made imitations which AT&T foisted upon the public after 1984. A circa 1983 Trimline sits next to my PC.

        Of course, Western Electric’s products did not include even the most basic features people demand today, e.g. redial, let alone Anthony Weiner’s favorite feature, texting.

      2. DP

        Especially if you worked for the Nixon adminstration

  2. Peter

    Apple seem to be going crazy trying to ensure this doesnt happen again. Seem to be doing a complete overhaul due to this. The whole developer center is unavailable.

    We’ll be back soon.

    Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

    In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

    If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store. If you have any other concerns about your account, please contact us.

    Thank you for your patience.

    1. CooloutAC

      ubunut’s website’s been down for I think a couple days now hackers got everybodies accounts.

      So is it still true that if its open sourced its more likely safer….or has that always been a myth?

      1. CooloutAC

        They took downt he ubuntu forums, ubuntu the most popular and active linux distro, what a bunch of losers these hackers are.

        I don’t prefer that gnome interface, but when i see it I think of android phones.

  3. outlaw

    How many fans of security through obscurity are there?
    whith windows you haven’t learned nothing?
    the forum isn’t related to the distro security, there are mirrors with cripto keys for the debs. if someone pwn the forum got only this.

    1. OhioMC

      Yes, but isn’t the developer info valuable, as Brian suggests, for a soft attack vector?

      If hackers are willing & able to infiltrate a vendor like Bit9 in order to work their way into enterprise & government environments, don’t you think that hacking app developers is being pursued to backdoor onto a phone OS?
      http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/

      hopefully Apple’s thoroughness in app review and the granularity of their app access controls on iOS is sufficient. Heard early this year that an app vendor Apple uses itself for email encryption/MDM faces thorough scrutiny and Apple didn’t cut corners, even when it impaired their own ability to get an update with bug fixes.

  4. IA Eng

    “If it is built by software, typically it can be broken by software”. That may not apply to all cases, but for the majority, that phrase rules.

  5. Chris R

    Easy answer to the debate between Linux vs Windows what’s more secure, or OSX vs Windows vs Linux, or even Android vs iOS.

    Nothing is secure, for something to be ‘secure’ or ‘un-hackable’ software and hardware would both have to be perfect.

    For hardware and software to be ‘perfect’ it’d have to be written by a ‘perfect’ human there’s no such thing and nothing is never perfect.

    Even when a machine manufactures a piece of plastic on something there’s always a slight difference not each one is *exactly* the same so there for none of them are perfect.

    Security is no more than an illusion, It’s the illusion of safety comfort and privacy to prevent panic by the masses and that’s all it will ever be.

    That ‘panic’ also creates job security so some lack of software and or hardware ‘security’ is purposely done with malicious intent.

    So long story short;tldr version:
    You’re all going on about pointless crap, everything gets exploited eventually and everything can be exploited it’s just a matter of time and determination.

    So quit playing favorites over who likes what or what the media or society brainwashes you into thinking is ‘cool’.

Comments are closed.