Some Scams Are Noticeable, Some Aren’t

In today’s world, someone is always trying to get their hands on your money. Many do it ethically by offering goods or services that you really want or need. Others do not. We regularly see malicious tools designed to separate money from the bank accounts of unsuspecting individuals. Others use scams or outright fraud. Sometimes, we get lucky and the scams are easy to spot. Sometimes, they are not. Today we’re going to talk about one that should be painfully obvious.

I continually stress how important it is for users to make sure they know what they are downloading before they do it. Still, some people just aren’t getting the message, so we’ll digress for a second into the basics.

Android is exploding in US markets (thanks Verizon) and beginning to gain ground on RIM and the iPhone around the world, but Symbian is still the boss. What that brings with it is the focus of unethical individuals. When market share increases for an operating system or particular technology, the bottom dwellers of the world are going to begin to flock to that technology as a means to steal your money. This is no longer a debate.

Android did itself absolutely no favors in trying to curtail this reality when they came up with the idea of their Market. The Android Market is mostly an open source repository for paid and free apps that run on Android devices. When you create an environment with little to no supervision, you foster innovation. But you also allow nefarious types to participate in the innovation.

In article after article, we’ve highlighted some of the malicious applications that have hit the Android Market. It is the current target for malicious developers to disseminate their warez for the fastest growing mobile platform. However, what we have not yet seen in the Android Market is the existence of outright scams like we see plaguing computer users around the world.

Sometime yesterday, we saw a blatantly obvious scam app hit the Android Market. Now, in their defense, this app has been removed from the Market with less than 50 reported downloads. That’s not too bad. Even though we find this scam attempt to be pretty funny, we do feel for those that fell for the scam and now find themselves to be $4.99 poorer.

4G LTE Upgrade is an application that popped up in the Android Market about 18 hours ago. This application purports to enable features in Verizon’s Droid devices that will allow 3G devices to access and operate at 4G speeds when Verizon’s LTE network goes live in a few days. What is even more duplicitous is the fact that the developer actually has the foresight to tell customers that:

***If app does not work immediately please allow 24-48 hours for network to propogate.***

If you’ve ever purchased an application from the Android Market, you should know that there is a 24 hour trial period for the user to review the application and decide if they like it or not. If they determine that they don’t want or won’t use the app within 24 hours, it is trivial to return the application and get a full refund by going to the app’s Market page and click “Refund/Uninstall”. This guy actually tries to tell the user that you may have to wait a little longer than the 24 trial period for the app to work. Tricky!!

To even the most casual smartphone user, it should be painfully obvious that there is no way a simple app can functionally create the technology on their phone to operate at 4G speeds, yet some people downloaded it. This scam is easy to spot, but it still worked for the few hours it was allowed to remain in the Market. It took several complaints to Verizon from frustrated customers who couldn’t seem to get 4G speeds from their 3G devices to “nudge” Google to remove the app from the Market.

But, these two indicators aren’t all that the developer has given to tell us this is a scam. If you’re unsure about whether something is real or a scam, when dealing with computer technology, the first thing you should focus your attention on is grammar. The Market description for the “4G LTE Upgrade” app does not give us a lot to go on, as far as grammar is concerned, except for one minor mistake.

The grammatical error that was an immediate indication that this was a scam (if I didn’t know the whole premise was utterly ridiculous) can be found in the same advisory that attempts to trick users into waiting out the refund window for the app to magically begin working. The whole advisory is fairly incoherent in asking the user to wait for “24-48 hours for network to PROPOGATE”. First, propagate is spelled incorrectly. Secondly, why would the 4G network need to “propagate” down to the device? Either it can access the “signals” that deliver 4G speeds or it can’t. Nothing needs to “propogate” anywhere.

Some scams, however, are not so easy to spot. Check this one out.

Security Researcher Bypasses Android’s Consumer-Facing Security Controls

Now is probably the best time to have this discussion with Android users, and Smartphone users in general. So, I guess I’ll just dive right in and begin by saying that if you don’t take the threat of malware attack on your Smartphone seriously, you’re going to be compromised. Your communications will be monitored, any accounts you access and credentials you use from the phone will be intercepted, your sensitive data will be stolen. To add insult to injury, you might also end up having to pay some attacker for however many premium rate SMS messages your phone sent to their short code number after they’re done stealing your information.

These statements may seem a little far reaching when it comes to the concept of mobile security and Smartphone use, I know. It is much easier to make these statements when talking about a PC running a Windows operating system. In today’s world, if you use Windows, you absolutely must rely on several different security applications to keep your machine safe. Has anyone ever tried to put a Windows XP machine on the wild Internet with no protection? It’s madness.

The most recent statistic I can find for this type of “test” is more than two years old and puts the average infection time at five minutes. That is five minutes from the time that you plug an ethernet cable into an ethernet port of a machine, that has no security applications protecting it, to the time that it has picked up some worm, trojan, botnet, been port scanned a few times, or any of the other ridiculous things out on the wild Internet. I have to wonder why the quick search I just did for this statistic only comes back with data from two years ago? Is it because it’s gotten so bad that people stopped keeping track?

Why, you may be asking, is this guy talking about Windows when he started talking about Smartphones and stealing data? Well, it’s because there are parallels that must be understood in order to be able to make the statements that were made. Windows is NOT the most flawed operating system to ever exist. Windows happens to be the most USED operating system to ever exist. Estimates put the various flavors of Windows somewhere around 90% - 93% of the world PC market. Identity theft and electronic fraud is a multi-billion dollar a year business. In this business it makes almost no sense for the players to spend any significant amount of time researching code and developing exploits for platforms that only make up 7% of the world market. Instead, thousands upon thousands of hours are spent digging into Microsoft and exploiting the lowest hanging fruit that can be found.

This paradigm is playing out in the Smartphone ecosystem as well. Apple says that they hold a tight grip over their App Store. No malicious apps in or out. They have a review process that is supposed to keep the bad things off of your iPhone. So far, it’s worked out pretty well for them. But that does not mean that the iPhone is secure. We know that portions of iOS have been shown to have their fair share of security flaws that have forced Apple to release patches and updates to quickly address the flaws. The lack of malware in the App Store is completely independent of the whether or not there are security flaws in the iOS implementation.

However, Android’s openness in their Android Market has caused attackers to focus their attention on Google’s platform. When it is all said and done, the armchair quarterbacks of information security will end up saying that Android is flawed, where the iPhone is secure. I believe this is going to be a flawed premise based upon the simple fact that Android’s Market allows anyone to publish any app at any time, and expects the community to regulate the content.

It is important to understand the correlation between malicious applications and the research behind their ability to exploit the flaws that they do. Because Apple’s App Store is more likely to weed out malicious apps before they are made available than Android’s Market, those that wish to continue their illegal activity in the Smartphone industry will focus their attention on Android. These individuals will likely drop the heavy research initiatives against the iPhone to find security flaws and they will focus their time and effort on Android. It does no good to find a security flaw in the iPhone, if there is almost no viable means of disseminating the exploit. They’re going to go after the lowest hanging fruit in the Android Market. We’ll call it their M.O.

So, how does Google and Android combat this reality? What do they have in place to attempt to blunt the effect of malware existing in the Market? Their primary means of defense is to educate the user on the importance of installing trusted apps and to use the “permissions declaration” that an app is forced to follow prior to a user installing anything on the handset. Now, we all know that almost no one pays attention to this advice and they just click through the install process on every new, hot app that they want to play with. If we know this, so does the attacker.

What happens when the attacker is able to completely bypass the the single control that Google has implemented to protect the consumer from compromise? What happens if someone is able to trick the permissions declaration into displaying something incorrect or bypassing it all together so that it never even asks the user to approve anything in the install process?

This is exactly what has happened. Early Wednesday morning, a security researcher, who has been doing an incredible amount of analysis of Android’s GTalk services, released a proof-of-concept application into the Android Market that, once it is installed, is capable of installing additional apps in the background without being required to declare the fact that something is happening. In essence, he’s shown that it is possible for one application to install additional malicious applications with no need to declare the permissions they will use.

In his analysis of the GTalk services, Jon Oberheide, identified a token that is used with the Market application (vending.apk) that a developer is able to leverage to bypass the permissions restrictions necessary to allow an app to be installed without the user’s knowledge or consent. In essence, he broke Google’s consumer-facing security control against malicious applications. All he had to do was use a bit of social engineering and the knowledge that users are unlikely to pay attention to what they are installing.

It’s important to state that this application was only in the Market for six hours before it was removed and banned. However, if you look at the application’s Market description, you’ll see the social engineering that was used. He simply hid his proof-of-concept code in a supposed “add-on” for the “Angry Birds” game by Rovio Mobile. ”Angry Birds” is a game that has spread like wild fire through the Android user base. Latest estimates put the download rate at about 6.3 million downloads. Mr. Oberheide simply released an application that purported to be bonus levels for the “Angy Birds” game. It’s simple. It’s ingenious.

In six hours, he was able to get 50 downloads of the application. None of which would have alerted the user to the fact that it just installed three malicious applications that have access to the device’s contacts, location data and SMS functionality. But, it is important to note that the “Angry Birds Bonus Levels” application did require the user to approve the permissions that it needed to be able to function when it is initially installed from the Market. It was the applications being installed in the background that bypassed the notification process that Android relies upon for the user to make intelligent decisions. Let’s take a look at the permissions those 50+ people approved in an application that was meant only to add a few levels to a game about birds:

android.permission.USE_CREDENTIALS
android.permission.INTERNET
android.permission.GET_ACCOUNTS
com.google.android.providers.gsf.permission.READ_GSERVICES

These are the only four permissions this application requests. Even the most technologically illiterate person should be able to read these and know that something is extremely wrong with the things it is trying to have access to do. But there’s a problem. This is not how Android presents the requested permissions to the user. Instead, they have grouped permissions into user friendly descriptions that they might better understand. For example, instead of the “android.permission.USE_CREDENTIALS” permission being displayed, the user would see a declaration that says it would like access to “Your Accounts”. Additionally, the “com.google.android.providers.gsf.permission.READ_GSERVICES” permission would be displayed to the user in the same way, simply “Your Google Accounts”. In my opinion, the user friendly version of the permissions declaration actually hinders the user’s ability to see exactly what is going on because it obfuscates the actual permission that is being requested with a general description of obtuse activities. But, I digress.

What interested parties have seen happen in the last 12 months is that the name Android is being associated with malware, whereas the iPhone and BlackBerry is being associated with secure. I believe the discussion of whether one is more secure than the other is not a question that should be asked of the separate platforms. As we’ve already discussed, code development flaws exist in all platforms. Given the proper amount of scrutiny, security vulnerabilities are sure to be found in the iPhone, BlackBerry and any other platform that will come along. What Android is experiencing is a product of attackers figuring that the Android Market is currently the simplest way to disseminate malware aimed at exploiting vulnerabilities. Since that dissemination method is proven to work, why not focus the research on the platform and use it to their advantage? It’s a cycle that Google and Android can only really address if they change their approach to the Market. But, that’s a whole different discussion.

One final thought, Google is working on an immediate fix to the problem uncovered by Olberheide’s research. Just as Apple and RIM have had to do, a patch will be available to fix the problem shortly.

Mobile Spy Devs at it Again, More Spyware in Android Market

Those developers at Retina-X are at it again. Retina-X was one of the first commercial spyware developers to venture into the Android platform back in 2009 by porting over their Mobile Spy application to Android. Mobile Spy offers an individual the opportunity to monitor communications and GPS location data of a Smartphone device. This technology is nothing new and even has a viable use case; when developed and used ethically.

There is certainly a legal and ethical case to be made for employers to monitor this type of communication or location data when an employee is using a company provided device. Parents and/or guardians also have the legal right, some would consider it a parental duty, to be aware of what their children are talking about or sending to their friends. The sexting statistics that we’ve discussed at length don’t lie.

The problem that Retina-X and Mobile Spy runs into with mobile anti-virus vendors is that their applications actively hide themselves from the user that is being monitored. It opens up the possibility for someone to purchase or download their app and install it on an unsuspecting user’s device so the attacker can illegally monitor their actions. We’ve seen more stories of this type of software being used to spy on someone or as a tool to aid in illegally stalking a victim than we can count.

In the spring of 2010, Retina-X took their Android release of Mobile Spy a step further and ventured into the Android Market by offering the “Smartphone for Android” applications. These applications enabled much of the same functionality as the original Mobile Spy as well as hiding itself from detection. The only major difference was that the name was changed to seem less harmful. They prettied it up to attempt to get past Google’s sensors (yes, some apps do get banned).

Versions of the “Smartphone for Android” application were released for Android 1.5, 1.6 and 2.x, however, the applications were pulled from the Market at some point. It is unclear when they were pulled or for what reason. Whether the developer pulled them or if Google wielded their “ban hammer” and chucked them out is unknown. Regardless, they are no longer available.

This week, while cruising through the Market, we came across 3 more additions from Retina-X into the Market: “Mobile Nanny”. Just like its predecessor, “Smartphone for Android”, ‘Mobile Nanny” has versions for Android 1.5, 1.6, and 2.1. However, the “Mobile Nanny” description in the Market attempts to obfuscate its origin a bit by no longer using web portals for monitoring data that actually state “mobile-spy” in them. A small amount of investigation reveals that the developer, “Mobile Nanny”, is actually Retina-X and Mobile Spy.

By all accounts, “Mobile Nanny” appears to be a fully functional parental control application like many in the Market. ”Mobile Nanny” offers the ability for a parent or employer to monitor SMS messages, GPS location, and call logs on the device. ”Mobile Nanny” goes further to also offer SMS/Call blocking, time usage restrictions, remote locking and tracking, can block applications from being installed, block web access, or block certain phone capabilities. All of this functionality is remotely configurable and monitored data can be viewed online via the “Mobile Nanny” web portal.

All of this is great. The only problem is that Retina-X continues to hide their application. ”Mobile Nanny” does not offer an application icon in the application drawer. Retina-X and a lot of advocates for this type of software would argue that in order for it to be effective, it needs to be hidden so the child or employee doesn’t delete it from the device. This may be a discussion worth having, but it also offers the ability for someone to use this software to illegally monitor the activities of an unsuspecting user. As such, anti-virus vendors should, and will, continue to label this as spyware to ensure that consumers are able to make the decision of whether it should be installed on the handset or not. If their is a legal right for someone to monitor another’s device, then the user can make the decision to allow it to remain on the handset. However, we want to make sure that unsuspecting users, or victims, are equally aware of its use on their device so they can take the proper actions.

Junos Pulse Mobile Security Suite users will be automatically alerted to the existence of “Mobile Nanny” on their handsets. The Pulse MSS Anti-Spyware engine will detect the installed applications and the on-demand SD card scanning capability will allow the user to be alerted if the application’s installation package exists on their SD card by updating the virus signature database to ensure signatures dated 11/5/2010 have been added to the protection capabilities.

Market Trend Analysis Shows Smartphone Use Climbing

As I was doing my normal rounds of checking out the state of mobility, I ran across a post that discusses some new Smartphone market share trends and analysis. Nielson has come out with their most recent reporting on their interpretation of the US and global Smartphone market. Their analysis indicates that Smartphones now make up 28% of the entire US cell phone market.

In comparing these numbers to the Canalys’ reporting that was just released, there appears to be a bit of disparity between the two numbers. I’m curious how this happened? Regardless, here are the numbers:

Nielson says that of the consumers who acquired a new mobile device in the last 6 months, 41% of them opted for a Smartphone of one variety or another. That’s up from just 35% last quarter.

According to Nielson, Apple has nearly caught RIM (30%) in the US by capturing 28% of the US market, while Android hovers somewhere near 19%, but growing fast. Now here’s where the disparity comes into play. Nielson’s numbers don’t seem to agree with Canalys’ reporting. Canalys says that Android has stomped all over BlackBerry and Apple by capturing 44% of the US market, leaving Apple only 26%.

I don’t think it really matters all that much who owns what percentage of the market at this point. Attackers have found a weakness in the Android Market that they are looking to take advantage of. It’s the easiest, at this point, which means it’s going to attract the most attention. In the meantime, the extremely smart guys will continue to perform direct-style attack research against ALL platforms to see what is available to them.

If you’re a big number’s person and think I haven’t given enough to chew on, go ahead and check out the links to get the information from the source. I’m just the messenger.

BTW, did you vote today?

Researchers Discovery Flaws in Android Kernel

In what is certain to be a highly read article from Financial Times, a Software Quality and Security Analysis firm, Coverity, has released information about a code review they performed on a portion of the Android kernel that ships with HTC’s Droid Incredible. The information that is being released at this time indicates that 88 “high-risk” defects were among the the programming errors identified with the kernel.

According to Coverity, the number of Android kernel flaws that turned up per thousand lines of codes is lower than the average for open-source projects. However, the findings indicate that they include improper memory access and memory corruption flaws that are likely to lead to security vulnerabilities that could cause data loss or quality problems such as system crashes.

Before we begin the debate between Apple and Android users, let’s not forget that BlackBerry and the iPhone have also been forced to fix critical security flaws in their software through updates. This type of release of information is nothing new. Much to the delight of Android users and HTC, Coverity appears to have followed responsible disclosure practices and reported their findings to the vendor first. Andy Chou, Coverity’s co-founder, has pledged to make the findings public in two months time. This should give HTC plenty of time to address and fix the problems that were identified with their code.

Ok, so if Google and HTC now have the ball in their court, what’s the real problem that the Smartphone community faces? It’s simple. Research has begun. Up to this point, the media and Apple enthusiasts have made a huge stink over the fact that a handful of Android applications in the Market are malicious. It’s important to understand that the malicious applications that have been in the news as of late are not a symptom of a flawed operating system. They are a symptom of the “open” nature of the Android Market.

Google specifically created the Market ecosystem with openness in mind. They want the community to regulate the content, as opposed to Apple’s approach of “reviewing” every application before it is permitted to enter the App Store. Android’s philosophy has its pros and cons, just as Apple’s philosophy does. We’re not going to debate them today…it’s tedious and unproductive. What is productive is to ensure that the users of the various philosophies understand that neither is above reproach, nor do they offer absolute security.

These findings by Coverity might just be the first major analysis of the Android kernel. Just because they only looked at the HTC Droid Incredible for their analysis does not mean that the remainder of Android devices are any different. In fact, it would be safe for other vendors to assume that they need to take a hard look at Coverity’s report and apply the data to analysis of their own kernel implementations.

Because of the nature of Google’s open-source Android project, vendors are free to use the code as they wish. This means that HTC, Samsung, Motorola and all of the other vendors of Android devices are free to take Android’s source code and modify it to meet their needs on their particular device. However, I’d venture a guess and say that not very many of the vendors are modifying the actual kernel in any significant way. The rest of the Android world needs to be looking at their code and fixing any problems as well.

The type of research that security experts have been saying is on its way is the exact type of code review that Coverity has performed. Luckily for us, they are a responsible organization with responsible intentions. As a community, security professionals dread the day that this type of research is performed on any platform by members of the hacker community that would rather use their findings to cause mayhem and steal information. They perform the research, they find the vulnerabilities, they develop the exploit code, then they launch the attacks. When this happens, we find ourselves in what is called a “zero-day” race for vendors to identify the source of the problem, develop the fix and then release the updates to fix the problems. All while attackers are freely exploiting vulnerable devices.

We got lucky this time.

iPhone Jailbreak Weaponized to Include Rootkit

In a presentation to the crowd at the ToorCon Hacking Conference in San Diego, a Senior Researcher at Trustwave’s Spider Labs demonstrated that the vulnerability in Apple’s iPhone that has allowed the devices to be jailbroken could also be used to push malware onto the devices and intercept credit card data. Saturday’s demonstration illustrated how the original jailbreakme code could be modified to inject a stripped down remote monitoring application onto the iPhone.

The proof-of-concept code was named “Fat”. According to Eric Monti in an interview with Threatpost, “Fat” was an effort to learn from the work of the team that created the jailbreakme application by “weaponizing” the code. The results of Monti’s work added a rootkit that would remotely control the microphone, SMS, GPS and the camera on the iPhone.

Monti was able to use the rootkit to silently monitor credit card transactions from an iPhone application, “Square”, on an infected device. Though the proof-of-concept code that was demonstrated is harmless and the vulnerabilities that were exploited have been patched by Apple since early August, the point of the demonstration is that the iPhone is no less of a security concern than any other Smartphone platform in use.

Apple’s claim to security fame of having a secure device is made on the back of their review process for applications before submission into the App Store. The presentation of “Fat” demonstrates that Apple’s iPhone is just as vulnerable to attack as any other platform out there. In this particular case, all an attacker would need to do is redirect a browser session to a malicious website that operates in the same manner, with modified code, as the jailbreakme sites that are currently jailbreaking iPhones today.

As the iPhone begins to outsell BlackBerry’s in the world markets, we’ll start to see more research of this nature. Apple will continue to play wack-a-jailbreaker in their effort to keep their tight grip over users being able to install 3rd party apps on their own devices. But in doing so, they may be lulling their customers to sleep with a false sense of security. But the question remains: Is Apple’s model of control over the App store a better model than Android’s model of allowing the community to police the content of their Market?

Its unmistakable that Android has seen its fair share of malware over the last 12 months. This can be directly attributed to the fact that there is no review process for apps in the Market. But at least users are becoming educated about what they need to do when they are installing applications. Can the same be said about the iPhone. Is the security knowledge level as high as it is among the learning Android user base?

FakePlayer Receives 3rd Monthly Update

Yesterday marked the 3rd month in a row that the Russian SMS trojan, FakePlayer, received an update to the Android application that has served as a bit of a “black swan” event. In August, the Global Threat Center began reporting on the existence of the first trojan horse application that affects Android devices.

FlakePlayer, as it was dubbed, appears to be a very rudimentary application that attempts to send SMS messages to premium rate numbers. Because of the nature of short code numbers and SMS, this trojan was thought to only work in Russian networks.

Nearly a month later, in September, we reported on a new variant to the original FakePlayer trojan that incorporated a few changes to what the user would see, the propagation method, and how it operates in the background. We also mentioned that that the new variant was being referred to as PornoPlayer.

The 2nd version of the SMS trojan used SEO techniques to achieve prominent placement in search results for Russian websites. One of the most visible changes to the 2nd version was that the application icon, that is visible to the user, showed an adult image. Secondly, the premium rate numbers that the SMS messages were sent to in the background were changed, causing the cost for every SMS message sent to be about $6 (about 170 Russian rubles). The version new for the month of September also changed the archive name from RU.apk to pornoplayer.apk.

Now, nearly a month later from the 2nd version update, we’re seeing a 3rd version of the Russian SMS trojan FakePlayer. This version continues to use the same SEO techniques for propagation and the archive name, pornoplayer.apk, stayed the same. So what has changed in the 3rd version?

If infected, the user will once again see the original application icon that resembles the Windows icon for Microsoft’s Media Player, but the application name remains PornoPlayer.

FakePlayer’s new version now sends SMS messages to two premium rate numbers to charge the victim. Just as in the 2nd version of FakePlayer, the 3rd version sends SMS messages to 7132, but it has added a second number of 4161 to the background process that will charge the user $6, or 170 rubles.

As far as we can tell, there are no other changes to this version of the Android SMS trojan application. The Global Threat Center continues to believe that this application will still only work within Russian provider networks. However, it remains important for users to remain vigilant of their phone bill and look for any unauthorized charges. As is normal for all Android applications, the FakePlayer SMS trojan must present the user with the permissions that it needs access to before it can be installed.

In the case of all three of these versions of FakePlayer, the application plainly requests permission to access “Services that cost you money”. It remains incumbent upon the Android user to ensure that they are installing applications that request permissions that make sense for what the application is supposed to do. In this case, a media player application should not be requesting permission to access “Services that cost you money”. Users must simply stay alert when they’re installing Android applications, both from the Android Market or from 3rd party sources…wherever they may be.

ZeuS Mitmo Trojan Chips Away at PC/Mobile Malware Barrier

For several years, security researchers have been doing all we can to tell the public that attackers are after their money. I remember back in 2006, when I separated from the Marine Corps and joined a small company in Columbus, Ohio that performed Risk Assessments, Security Assessments, Vulnerability Assessments and other Information Security related services for our client base. One of the services we provided was to gather IT professionals in the area together to discuss what we called the State of the Threat. One of the predominant themes of these briefings was to inform all that would listen that the security paradigm had shifted from one of notoriety amongst the cracker community to organized crime using the same techniques to swindle money from unsuspecting users.

The paradigm shift saw less and less attacks aimed at defacing websites and began to see more attacks designed to steal personal and banking information that could be used for identity theft or direct access to funds. We’ve seen countless examples of Social Security Numbers being stolen in massive amounts. Several notable incidents revealed company’s names being raked through the mud for falling prey to attacks that left million upon millions of credit card numbers in the hands of attackers, and on and on.

In the mobile space, malware distribution appears to be almost evenly split between spyware that could allow someone to spy on the communications of an unsuspecting user and trojanized applications that appear to do one thing, while sending sending SMS messages in the background to premium rate numbers, owned by the attacker, which transfers small amounts of money from the user’s mobile account to the attacker’s account. However, in nearly all of these examples of mobile malware, the attackers must trick the intended user into downloading and installing the malicious application to their Smartphone handset.

Up until this point, PC malware and mobile malware have been relatively segregated. We’ve only seen random instances where attackers have attempted to leverage one to get access to the other. Vodafone was caught shipping Android devices with the Mariposa botnet pre-loaded on the device’s SD card. When the user would plug their Android device into their PC, via USB, the Mariposa botnet would attempt to infect the user’s PC. We’ve also seen a handful of instances where jailbreaking Apple’s iPhone could lead to malware infecting the user’s machine. However, none of these instances appeared to leverage PC malware to infect a mobile device, in order to gain access to a users money…until now.

Over the weekend we saw reports of the first PC trojan leveraging mobile malware to attempt to interject itself into security mechanisms employed by financial institutions. Since identity theft and bank account fraud is common amongst malicious PC applications, many financial institutions have instituted secondary methods to identify their users. One such method that is being employed is for the financial institution to use SMS as a means to authenticate the user. This means that in a lot of cases, a malicious application stealing a user’s username and password for the online banking website may not be enough information to gain access to the user’s account.

Enter a well-known PC trojan, ZeuS, that has been effectively stealing banking credentials for some time now. ZeuS Mitmo (Man-in-the-Mobile) now attempts to answer these new security mechanisms by injecting itself into the SMS authentication scheme, as well as stealing the login credentials for the user’s banking institution. This iteration of ZeuS, as a means to stealing bank account information, relies on tricking the user into installing the ZeuS application on their PC using some sort of social engineering attack. Once it is installed, the next time the user logs into their bank’s website, their credentials will be captured. ZeuS Mitmo then goes on to present the user with a spoofed dialog that attempts to get the user to accept SMS as an authentication scheme from their bank. In doing so, they’ll need to enter the number and manufacturer for their Smartphone so they can receive the “security certificate” necessary to allow the SMS authentication to function properly. In reality, the “security certificate” is actually a malicious application that is capable of monitoring SMS messages in the case where the bank has implemented the secondary SMS authentication requirements to gain access from an unknown location. In addition to monitoring SMS messages, the malicious application that is installed also has the ability to open a backdoor channel that can be used for command and control.

At this point, ZeuS Mitmo can infect Symbian and BlackBerry devices. By answering the questions that are presented by the spoofed dialogue, the user is giving ZeuS all of the information that is necessary to determine which version of the mobile application it needs to send to the device for installation. A complete analysis of mobile applications has been posted here. By all accounts, ZeuS is functional, if not a difficult implementation and means of answering the question posed by financial institutions who attempt to look outside of the wired PC network to ensure the identity of their users.

Apple Likely to Face Antitrust Inquiry?

Some of you may have heard the news that the Department of Justice and the Federal Trade Commission are currently involved in discussions to determine which agency will begin an antitrust inquiry into Apple and a new policy that has been implemented. When I first saw the article from the New York Post discussing the DoJ/FTC inquiry, I immediately thought I was going to read an article about how government regulators were going to be looking into how Apple maintains an almost Orwellian control over the application ecosystem that is the App Store. An awful lot of “experts” in the industry spend a good amount of time debating whether or not Apple’s policy of restricting or approving applications for publication and use on the iPhone/iPad is acceptable. I have several opinions on that particular subject, but I’m only going to ask one question and then I’ll get to what is actually going on with Apple and the DoJ/FTC:

Let’s assume for a second that Apple were to decide to open the App Store for open development with no approval process (I know, it’s crazy, right?). Who are all of the talking heads and analysts going to go to when it gets overrun by malware? Will they blame Apple or the will they blame the developers who are creating the malicious apps? Think about that for a second…

As I read through the article, an entirely different case began to take shape…and it may have some merit. In the final months of 2009, Adobe announced that its Flash Professional CS5 would include the Packager for iPhone when it ships. From Adobe’s website, Flash Professional CS5 will benefit iPhone developers in the following ways:

“The Packager for iPhone allows developers to use Flash technologies to develop content for iPhone and iPod touch, devices that were previously closed to them. Developers can write new code or reuse existing web content to build applications for iPhone. Because the source code and assets are reusable across the Flash Platform runtimes,—Adobe AIR and Flash Player—it also gives developers a way to more easily target other mobile and desktop environments.”

Just like me, you may be wondering how this differs from the Adobe Flash Player 10 coming to the iPhone. Here is what Adobe has to say:

“The new support for iPhone applications included in Flash Professional CS5 will not allow iPhone users to browse web content built with Flash technology on iPhone, but it may allow developers to repackage existing web content as applications for iPhone if they choose to do so.Flash Player uses a just-in-time compiler and virtual machine within a browser plug-in to play back content on websites. Those technologies are not allowed on the iPhone at this time, so a Flash Player for iPhone is not being made available today.

I essence, Adobe has attempted to make an end-run around Apple’s policies that denied the ability to brows for Flash content on the web from an iPhone by creating a framework that would allow developers to first find that same existing content and then spit out a native iPhone application that uses the content. All is well and good and pretty darn ingenious, if you ask me. But, there’s one little problem.

Whether it be related to Steve Jobs’ well publicized dislike for anything related to Adobe, or that Apple decided that now was a good time to take a hardline stance by adding a new segment to the iPhone Developer Program License Agreement, section 3.3.1 of the developer’s agreement states that, “Applications may only use Documented APIs in the manner prescribed by Apple and must not use or call any private APIs”. This one little line prohibits the use of unauthorized code or using tools to act as an intermediary translation or compatibility tools.

In essence, Apple has stated that they will not allow applications to be published to the App Store that have been developed with any tool other than the Apple Software Development Kit (SDK), effectively pushing Adobe’s Flash Professional CS5 right out of the playing field for developing applications for the iPhone/iPad…Again! Whether we’re talking about Adobe or any other rapid-development application, Apple is saying to developers that they need to make a decision: either they can continue to try to use framework-like tools that can develop applications that are platform independent and use the translation capabilities to produce platform specific apps; OR they can develop applications for Apple products.

In the real world, developers are paid for their time by selling their apps. For a developer to be able to create a platform independent application and then be able to translate and compile it into multiple platforms is huge. Apple just told them they can’t do it on their platform. Thus, the decision that is necessary from developers and the decision from the DoJ/FTC.

BlackBerrySync.com Compares SMobile and Lookout Security

On Thursday morning, the good people over at BlackBerrySync.com released the results of a study that attempted to compare two mobile security products to determine which is the best. BlackBerrySync.com is widely considered to be one of the leading sites on the Internet for all things BlackBerry and they have also been followers of SMobile’s products for quite a while. In fact, the author of the study has been using SMobile’s security software on her personal device for quite some time now.

The author does a great job of explaining the reason behind her desire to perform this side-by-side test of five of the leading spyware applications that are available to attackers who are interested in spying on users of BlackBerry devices. The spyware products she tested against were Flexispy, MobileSpy, PhoneSnoop, Flexispy Pro, and SpyBubble.

Instead of simply restating her results of the tests, I believe you should probably just read her report in order to get the full picture. There were some pretty startling results…