Remote Controlled: Mobile Backdoor Spotted

Reports of a smartphone botnet with over a million bots confirm how varied mobile threats have become. The fact that these malware can avoid detection and lead to further infections makes this discovery more troubling.

Access Through Fake Apps

Malware like ANDROIDOS_KSAPP.A came from a third-party app store and were repackaged as gaming apps. Once installed, these malicious apps download and analyze a script from remote sites. This script contains commands that a remote attacker can execute on the affected device. The malicious apps can also make devices vulnerable to further infection via notifications and pop-up windows that prompt you to install other possibly malicious files.

More Sophisticated Malware

What make these particular malware notable are their abilities to analyze downloaded script and equip themselves with new ones. They can update their script to avoid antimalware detection. This behavior makes them more complicated than the typical Android malware with backdoor capabilities.

These refined routines led to a mobile trend we saw last year. Using social engineering baits, cybercriminals have since included newer attack methods. The discovery of the reported malware indicates that cybercriminals are continuously creating more complex malware to prey on mobile users like you.

Protecting Your Devices

Protect your mobile devices by scrutinizing each app before you download and install them. Cybercriminals often spoof popular apps to trick you into downloading malware. Reading app descriptions and reviews can help you sift legitimate from suspicious apps.

Installing a security app, if available, adds another layer of protection to your mobile device. Android devices have a good selection of security apps. iDevices have fewer options due to Apple’s reluctance to allow third party developers offer solutions. We beleive this will change this year. The threats are growing and manufacturers need partners to ensure security. As Windows phones gain market share, solutions will be available for them as well.

Bring Your Own Device (BYOD) – Rules for IT Management – Rule 1

We are starting a series on BYOD – allowing users to bring their own devices to the office and access office infrastructure and files. We have come up with topics to help organizations navigate the ever changing landscape. Here’s rule 1:

1. Create Your Policy Before Procuring Technology

Like any other IT project, policy must precede technology—yes, even in the cloud. To effectively leverage mobile device management (MDM) technology for employee owned devices, you still need to decide on policies. These policies affect more than just IT; they have implications for HR, legal, and security—any part of the business that uses mobile devices in the name of productivity.

Since all lines of business are affected by BYOD policy, it can’t be created in an IT vacuum. With the diverse needs of users, IT must ensure they are all part of policy creation.

There’s no one right BYOD policy, but here are some questions to consider:

  • Devices: What mobile devices will be supported? Only certain devices or whatever the employee wants?

According to Forrester, 70% of smartphones belong to users, 12% are chosen from an approved list, and 16% are corporate-issued. Some 65% of tablets belong to users, 15% are chosen from a list, and 16% are corporate issued. In other words, users in most cases bring their own devices.

  • Data Plans: Will the organization pay for the data plan at all? Will you issue a stipend, or will the employee submit expense reports? Who pays for these devices? For smartphones, 70% paid the full price, 12% got a discount, 3% paid a partial amount, and in 15% of cases, the company covered the full price. With tablets, 58% bought their own, 17% got a corporate discount, 7% shared the cost, and 18% were issued and paid for by their companies. (Source: Forrester, 2011)
  • Compliance: What regulations govern the data your organization needs to protect? For instance, the Health Insurance Portability and Accountability Act (HIPAA) requires native encryption on any device that holds data subject to the act.
  • Security: What security measures are needed (passcode protection, jailbroken/rooted devices, anti-malware apps, encryption, device restrictions, iCloud backup)?
  • Applications: What apps are forbidden? IP scanning, data sharing, Dropbox?
  • Agreements: Is there an Acceptable Usage Agreement (AUA) for employee devices with corporate data?
  • Services: What kinds of resources can employees access—email? Certain wireless networks or VPNs? CRM?
  • Privacy: What data is collected from employees’ devices? What personal data is never collected?

No questions are off limits when it comes to BYOD. There must be frank and honest dialog about how devices will be used and how IT can realistically meet those needs.

Bandwith-Burning Malware Among Biggest Consumer Threats

A new malware report indicates Android malware samples grew three-fold last quarter and that one in every 140 devices connected to mobile networks was infected at some point.

Closer to home, about 14 percent of household networks were hit by malware this spring, with a 50 percent increase in high-level bots, Trojans and backdoors.

Among the biggest threats to consumers was the ZeroAccess botnet, which grew to more than 1.2 million super nodes resulting in ad-click fraud that at one point burned through bandwidth equivalent to 45 monthly movie downloads per subscriber.

In recent months, the ZeroAccess botnet has updated its command and control protocol and grown to infect more computers while connecting to over one million computers globally. The concern with ZeroAccess is that it is using the subscriber’s bandwidth maliciously which will cost them money as they exceed bandwidth caps. And, once the computer is compromised, it can also spread additional malware or launch new attacks.

The ZeroAccess/Sirefef bot earlier this year modified its command-and-control protocol to evade detection and quietly distribute fraud-laced malware.

The bot tries to circumvent these by simulating normal human browsing behavior. This involves using a relatively low click rate and responding to redirects, cookies and scripting as would a regular browser. Despite this low profile, the bot operates 24 hour a day, seven days a week, so the bandwidth utilization for all that browsing adds up over time.

On the mobile front, most malware involved “trojanized” apps that steal information about the phone or send SMS messages. However, a banking Trojan that intercepts access tokens and two spyware applications also made the Top 20 list.

Researchers noted that Apple took a second hit to its security reputation with the “Find and Call” malware that targeted both iPhone and Android devices.

First Flashback infected the Mac and now it appears that an iPhone app called ‘Find and Call’ uploads the users contact list to a remote server. The server then sends e-mail and text-message spam to the victim’s contacts. The messages are in Russian and encourage the recipient to download the app.

The app has since been taken down from the Apple Store.

Flashback, the Trojan that exploited a Java vulnerability to infect thousands of Mac OS X systems worldwide last spring, infected 10 percent of homes that owned at least one Mac, during the month of April 2012.

Security in 2012: A look back at Q1

Today, ‘Mobile’ has become a technology buzzword. Mobile technology, of course, refers to portable technology, which run the gamut from mobile phones and laptops to global positioning system (GPS) devices. Like any other kind of technology, mobile technology has its disadvantages and concerns, including that of security.

Android under attack

Android-based smartphones suffered from more criminal attacks this quarter. With the increased use of smartphones for web browsing, it is no surprise that the number of mobile attacks increased. The popularity of apps led to the existence of bogus Android apps like the fake ‘Temple Run’ and optimizer apps. One prominent mobile threat this quarter was one-click billing fraud, which can charge a user up to $1,300 just for clicking a button.

Data breaches and APTs

As the name implies, persistence is key when it comes to Advanced Persistent Threats (APTs). Attackers go deep into a target’s network to get what they want. Highly targeted attacks are categorized as ‘campaigns’, as these refer to a series of failed or successful attempts to compromise a targeted network. One notable example of this is the Luckycat campaign, which targeted several industries. Common lures for targeted attacks this quarter include popular sports figures and sociopolitical events.

Social media threats

Social networking has created a generation of users more likely to reveal personal data to third parties. Social media has become an effective platform for cybercriminals to spread malware. Even more troubling is the fact that the presence of cybercriminals and cunning social engineering lures put not only users at risk, but also the companies they work for. Even newly formed social networking sites were not spared this quarter, with survey scams finding their way to Pinterest.

Vulnerabilities

The number of reported vulnerabilities this quarter showed that threats can easily spread among systems and possibly even mobile devices. One vulnerability, MS12-020 (CVE-2012-002), was given the highest rating on Microsoft’s exploitability index, as it can consistently be exploited even by unathenticated users. MS12-020 allows cybercriminals to remotely execute commands on infected systems.

Among vendors, Apple posted the highest number of reported vulnerabilities this quarter, along with a record-breaking number of patches.

Cybercrimes

Blended threats are cybercriminals’ answer to causing greater damage to unsuspecting users. Ransomware reared its ugly head once more, taking systems or files ‘hostage’ until victims paid up. One SINOWAL variant spread using a compromised Dutch site. Other notable threats included spoofed emails bearing a malicious JavaScript and backdoors that stole sensitive information.

Some days, you just want to stay inside and read a book.

Password Security Policies – Part 3 – Manage the Mobile Morass

Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don’t need to take up much time, either, especially once your policies and procedures are in place. Here is the last of a three part series – managing your mobile devices.

7. Use a device-lock app. The mobile era has compounded the potential security threats inherent in password breaches. A lost or stolen device, for starters, can become a nightmare for the unprepared SMB. Begin by requiring–or at least strongly encouraging–staff to use a device-lock feature or app. Set it to time out automatically at one minute or less of inactivity.

8. Don’t jailbreak or root phones. This one’s likely to be a particular concern for SMBs that encourage employees to bring their own device to work. Users that jailbreak their iPhone or root their Android device could be bringing increased security risks onto the corporate network. Consider a policy restriction that bans such devices for company use.

9. Fully exit apps. Slain recommends users sign out and exit business apps when not in use rather than leaving them running in the background. That’s a step that sounds easy but sometimes involves more than just closing it, depending on the phone and its operating system. iPhone users must double-click the bottom button, find the app in a list, tap its icon, and then tap the minus sign that appears.

Carrier IQ Rootkit Logs Everything On Millions Of Phones

If you use an Android, BlackBerry, or Nokia smartphone then you may be at risk of being illegally wire tapped by Carrier IQ–a provider of performance monitoring software for Smart Phones. A “rootkit” is software that hides itself while utilizing privileged access like watching your every move.

Earlier this month a user named Trevor Eckhart announced that he found software, made by Carrier IQ, that may be logging your every move on your mobile phone. He found that the application IQRD, made by Carrier IQ, was running on his phone and he could not kill or force stop the app.He also noted the app runs everytime his phone was turned on.

After connecting his HTC device to his computer he found that IQRD is secretely Key logging every single button that he clicks on the phone, even the touch screen number pad. IQRD is also shown to be logging text messages. He was also able to show that Carrier IQ is also logging web searches. While this doesn’t sound all that bad by itself, what’s creepy about it is that Carrier IQ is logging what happens during an HTTPS connection which is suppose to be encrypted information. Additionally, it can do this over a Wi-Fi connection with no 3G; so even if your phone service is disconnected IQRD still logs the information.

Carrier IQ’s Mobile Intelligence platform is currently deployed with more than 150 million devices worldwide. Paul Ohm, a former Justice Department prosecuter and professor at the University of Colorado Law School, stated that this isn’t just creepy, but it’s also likely grounds for a class action lawsuit against a federal wiretapping law.

Unfortunately, this software is a real pain to remove. If you don’t want to be tracked and your device has Carrier IQ on it then your only option may be to erase and reinstall your OS.

Malware on Androids up over 400% from last year (and other trends)

Malware targeted toward Android devices continues to surge pushing 2011 to become the busiest year in history for both mobile and general malware.

The amount of malware infecting Android devices during the third quarter grew almost 37 percent from the second quarter. Android’s growing demand among consumers has made it an increasingly ripe and inviting target for cybercriminals.

Among all mobile platforms, Nokia’s Symbian OS is still seeing the greatest amount of malware. But almost all new mobile malware over the third quarter was aimed squarely at Android.

One common scheme against Android is led by Trojans that collect personal information and steal money from the user by sending SMS messages. Another type of malware records phone conversations and sends them to the attacker

Phony antivirus products, AutoRun malware, and password-stealing Trojans were among the most common types of malware in the quarter, staging a rebound from previous quarters. Malware aimed at the Mac also continues to grow as Apple computers experience greater demand among both consumers and businesses.

The number of botnet infections inched down over the third quarter but staged some dramatic gains in countries such as Argentina, Indonesia, Russia, and Venezuela. Cutwail, Festi, and Lethic proved to be the most dangerous and damaging botnets last quarter.

And though spam has dropped in numbers since 2007, it’s grown in sophistication, according to McAfee. Spearphishing, or targeted spam, is increasingly being adopted by more attackers and is proving to be a highly effective form of malware.