Tag Archives: Android

Seen Ad Pop-up’s in Your Mobile Browser Lately?

Posted on by

by Armando Orozco

Today, one of our Webroot SecureAnywhere for Android users reported seeing ad redirections while browsing on his Android device. As we began investigating, we noticed that there were a lot of other mobile users seeing the same thing – yes, on their iPhones as well! We were also able to reproduce the behavior on our devices.

This appears to be a clever Ad redirection using JavaScript. The pop-ups are survey offers for free electronics like iPads and iPhones. The users are asked to complete a survey, at the end of which their email address and phone number is also recorded. I know we’ve all seen these pop-ups before, but we’re not used to seeing them in our mobile world.

These pop-ups are not related to any apps you may have installed – they are a result of how the web page was written. Web developers use “alert()” function in JavaScript, which displays a message box requesting response from a user. The advertisers utilize this method to display their ads.

We are still investigating this issue and hope to track down the advertisers responsible. There does not appear to be anything malicious about these pop-ups for the time being, but we are sure malware authors will employ this tactic soon. With the rash of Rogue Applications and the recent discovery of a Rogue AV app (blog coming soon), we can see how this method could be exploited with malicious intent. Again, these are not platform or application-specific behaviors.

To remedy these pop-ups, you can disable JavaScript in your browser settings.

Thanks to JohnDeth of our Webroot Community for bringing this to our attention.

“You Want To Pay For What!?”

Posted on by

by Nathan Collier

Recently we found new apps in alternative Chinese markets that we are considering a Potentially Unwanted Application (PUA).  We are calling these apps Android.PUA.SMS.QuickPay.  Lets look at a sample of this app.  The sample we will look at is an app called “Screen Detection” which is an app that helps find dead pixels on your screen by displaying the colors red, green, blue, black, and white making it easy to see the dead pixel in contrast to these colors.  Pretty simple app.  Within a few seconds of opening the app this message pops up:

“Activate the full version, charges 2 Yuan, sending an SMS, 2 /. Customer Service Phone :010 -84681340-8035”

This app has limited functionality before requesting a premium SMS be sent for the full version, and that limited functionality only lasts a few seconds.  If you do not agree to sending the premium SMS the app will just keep asking you to activate the full version whenever you click.  Once you agree to the message it turns on your Wifi if not already on (Okay, that’s a little fishy), and sends a premium text message.  After that the app works.  Two Yuan is about 32 US cents, so people may just pay the small fee instead of spending the time to find a free version; which with a simple app that only shows four different colors as it’s functionality you would think there is something out there in the Chinese android market that will do the same for free.

It may not seem like much, but two Yuan at a time these guys are making a fortune off of apps that should be free.  This is only one sample, there are several more very simple apps that we found that do various things, but all ask for a payment for it to function.  Although there are legitimate Android Box apps out there, these apps are different in that they have very limited functionality, are signed by a different developer, and exploits simple apps that should be free by requesting payment for full versions before you even have a chance to see what it does.

Remember to always download from apps from a trusted source and be weary of messages asking to pay money for the full version so quick on the draw.

Rogue APKs continue to find new homes

Posted on by

by Armando Orozco

We’ve been tracking rogue premium-sms Android apps for sometime now. Here’s an interesting site we came across offering a download of the Google Music application, but this one comes with a cost. This site serves up a premium-sms Trojan of the ransom variety. Targeting Russian speakers these Rogue’s, we call Android.FakeInst, offer to give access to the app but for a fee.

                          

Continue reading

An Evolution of Android Malware “When stealing data isn’t enough meet…GoManag …“ (Part 2)

Posted on by

by Nathan Collier

In our continued series of how Android malware authors continue adding functionality to their work we take a look at GoManag. First seen last year, targeting Chinese speakers, GoManag is a Trojan that installs as a service so it can run in the background, collects device information and downloads payloads.  Its odd name comes from part of a URL it attempts to contact to.

Malicious GoManag app running in the background as the name “Google Search (Enhanced)”

Continue reading

Report: 3,325% increase in malware targeting the Android OS

Posted on by

By Dancho Danchev

Which is the most targeted mobile operating system?

According to the recently released 2011 Mobile Threats Report from our partners at Juniper Networks, that’s the Android OS.

Key summary points from the report:

Continue reading

Reflections on mobile security

Posted on by

By Armando Orozco

Be wary the next time you enter your passcode into your iPhone on the bus – someone could be shoulder surfing. In fact, a team of researchers from the University of North Carolina has developed a system to watch you pecking out characters on your phone, analyse the video, and produce a pretty accurate guess of what you were typing.

When people talk about key loggers, they’re usually thinking about malware that sits on a computer and surreptitiously monitors what keys people are pressing. But these university researchers are applying an entirely different approach to key logging. Instead of putting software on computers, they are investigating ways to monitor the text that people input into their mobile phones. They do it by taking video of your phone, either directly (over your shoulder or from the side), or simply by reading the reflections of your phone’s screen in your glasses.

The researchers developed a mechanism for looking at mobile phone screens using cheap, mobile videocameras. The cameras record video of people typing on ‘soft’ keyboards, such as those used by Apple’s iPhone. These keyboards commonly use ‘pop out’ animations, in which the key being pressed gets bigger when pressed, to confirm to the user that they have selected the right letter. The pop-out animation makes it easier to see which keys are being pressed in the video.

Mobile cameras have increased dramatically in quality lately, making them far more capable of capturing reflected keyboard images. These cameras are embedded in smartphones, of course, or if you wanted to get even techier, you could buy one of these.

Continue reading

‘Tis the season for mobile malware

Posted on by

By Armando Orozco

You’ve heard of the “perfect storm”? Well, there may be one brewing in Android-land. We just wrapped up a study that revealed holiday shopping is about to go mobile—in a big way. Turns out, over two times more shoppers plan to buy gifts on their mobile device this year. Over two times more?! It got me thinking…

We know that Android malware is on the rise. Even Android users themselves seem aware of it; our mobile study also found that 23 percent more Android users are concerned with the security of their information than iOS users. And although Google reported it was tightening access to its open source Android OS back in March, our researchers continually spot plenty of opportunities to capitalize on vulnerabilities because there’s still virtually no review process for new apps

It’s not hard to put two and two together.

As sleigh bells start ringing and shoppers reach for their mobile devices, I can just imagine cybercriminals licking their lips. We’ve seen two popular tactics for Android malware: gaining remote access to your device’s data and sending texts to premium numbers. Of course the end goal is the same for both routes: money, money, money.  And what more profitable time to go after the pot of gold than during the busy gift-buying season?

But here’s one more thing to consider: We can’t single out Android devices, because malware isn’t the only risk. The portability of iOS-based smartphones and tablets means they can easily fall into the wrong person’s hands—and whatever data is on that device would go with it.

So before you hit the “mobile mall” on Black Friday, take a few simple steps to protect yourself and your data:

  • Lock your device. Most smartphones and tablets give you a choice of locking it with a password, numeric code or pattern.  Use it.
  • Know your apps. Only download apps from trusted sources, and never install apps that want to access functions they don’t need, like the ability to send SMS messages. And it’s always smart to check out reviews by users and the experts before installing.
  • Use caution when connecting to WiFi hotspots. Avoid banking, making purchases, or logging into secure websites when connecting to WiFi hotspots.
  • Install mobile security. Mobile security apps provide lost device protection, secure web browsing, and antimalware services. Webroot offers several free and premium versions of Webroot® SecureAnywhere™ for protecting devices on the iOS and Android operating systems.

The bottom line: Be a savvy shopper, whether you’re on your Android at the airport or your computer at home. ‘Tis the season to shop safely.

Top 7 Cybersecurity Predictions for 2012

Posted on by

By Mel Morris

From Stuxnet to Sony, a number of cyberattacks emerged in 2011 that experts have predicted for quite some time. I predict 2012 will be even more pivotal, thrusting cybersecurity into the spotlight. These are my top seven forecasts for the year ahead:

1) Targeted, zero-day attacks will be the norm.
Looking back over the past year, an increasing number of breaches were the result of custom malware and exploits targeting specific enterprises. I predict 2012 will be the year of targeted attacks, which have slowly evolved from large-scale threats to unique attacks designed to infect a handful of very specific people.  Traditional blacklist and signature approaches have already become ineffective; once a virus is spotted, malware writers simply create a new one. As targeted, zero-day attacks intensify, more security vendors will realize the pressing need to analyze threats and behavior more holistically.

2) 2012 will be the start of a revolution.
For the last several years, the security industry and cybercriminals have had a symbiotic relationship that has kept the market in balance. The “good guys” have done just enough to thwart attacks – and the bad guys haven’t needed to dramatically evolve as they’re still making money doing exactly what they’re doing. I predict the scales will tip in the coming year. More innovative and effective security technology will drive a revolution and we’ll see a heated battle emerge between security companies and cybercriminals. It’s survival of the fittest.  As soon as cloud-based technology and behavioral protection strengthen their foothold in the antimalware sector, hackers and cyber mafias will up the ante and scope out new vulnerabilities.

3) Cyber threats will gain political traction.
The Stuxnet worm is an example of something we detected long ago, and its impact has now taken on a whole new meaning. The virus’s sophisticated ability to infiltrate government systems, silently gather information, and disable nuclear power plants has prompted a wakeup call, driving leaders to reassess federal technology standards and regulations. Stuxnet gives us a very real and very scary glimpse of what’s to come.

4)  Masses will migrate to cloud platforms.
Now that Cloud has an “i” front of it, the cloud will truly hit the mainstream. The appeal of file sharing and remote access will be a major draw for an increasingly tech savvy population that connects to the Internet from tablets, smartphones, and multiple PCs. This will not only drive widespread adoption of cloud-based tools and applications amongst consumers, but it will dramatically accelerate migration in the business world. Many companies are already on board with cloud platforms and applications, but the power of the masses will act as a tipping point, pushing the vast majority of IT professionals to shun old-school, on-premise approaches and look to the cloud for infrastructure and data solutions.

5) Your smartphone will be a target. Security companies have done a fairly good job of stopping attacks at the endpoint, and this will lead cybercriminals to focus their efforts more heavily on mobile devices, which are still quite vulnerable in today’s environment. We will see an increase in Android and iPhone attacks: rogue apps, malicious links, and spyware targeted at smartphones and tablets. It’s all about data, and business users and consumers alike store an abundance of highly sensitive and poorly guarded information on their mobile devices.

6) Legitimate applications will be used for illegitimate activities.
Rogue Android apps are just the tip of the iceberg. We load our mobile devices with applications that are designed to simplify our lives, yet we don’t stop to consider what else they are capable of – or what someone is capable of manipulating them to do. Even legitimate apps can grab information and use it without our permission. A simple glance at an application like Plane Finder illustrates the vast amount of data that is at anyone’s fingertips. And that’s not to mention the many other opportunities roaming devices present; a criminal could leverage a mobile device to pick up data from a nearby network, or hack into a plane’s WiFi connection and send signals to devices left in improper flight mode.

7) Our weakest link will be strengthened.
When it comes to security, the weakest link has always been people. In 2012, indifference toward security will diminish. Businesses will invest in security and strengthen duty of care measures. Employees and consumers will see the ramifications of breaches and begin incorporating smart Internet practices into their everyday behaviors.

I don’t think it means what you think it means…

Posted on by

Websites Hosting Android Trojans  

By Armando Orozco and  Nathan Collier

Rogue Android apps are making their way into alternative markets. Yes, we’ve seen some malicious apps trickle through and they can be elusive. But we’re now seeing markets that are only hosting malware. These rogues are of the premium rate SMS variety and request the user to send a bounty if they want the app. The interesting thing is that the websites they’re hosted on are very well put together and you can see that a great deal of time was put into creating them.

 The Websites

Click for Full Size

These well-crafted websites follow a similar layout; they have device reviews, app descriptions with screenshots, QR Codes and FAQs. So far, we’ve only found these websites aimed at Russian users, with the web pages written in Russian. The descriptions are similar to those in the Android Market and the screenshots appear to be taken from the market.  We are discovering that this network of SMS Trojans is fairly large. Continue reading

HTC acknowledges security flaw, plans update to fix

Posted on by

By Armando Orozco

A couple of days ago researchers for Android Police wrote about a security vulnerability in several HTC phones. The vulnerability lies with logging tools installed by HTC. These logging tools collect personal data like user accounts, email addresses, GPS info and SMS data. Having these tools logging users data is one thing but the fact that they are left unsecured and available to be exploited by a 3rd party app is a big blow to the device manufacturer. A 3rd party app would only need to request the INTERNET permission to gain access to the information collected by the tools. Why HTC has these tools in place hasn’t been answered, an answer they’ll have to provide to their customers at some point.

 
HTC’s public statement: “In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.”

 

The update will be sent over-the-air and users will receive a notification to install. No word on when the update will be available.

 
We all have a role to play in keeping our computing secure, but developers have a key role in that they need to ensure their applications are secure when it comes to customer’s data. This happens a lot, most recently with Skype, hopefully with more and more big name vendors being called out we’ll see developers tighten up their code.

 

Affected phones

EVO 4G

EVO 3D

Thunderbolt

EVO Sensation

MyTouch 4G slide