Mobile Threats archives

Security Researcher Bypasses Android’s Consumer-Facing Security Controls

Filed Under: Blog, Mobile Security, Mobile Threats, Security
Thursday, November 11th, 2010

Now is probably the best time to have this discussion with Android users, and Smartphone users in general. So, I guess I’ll just dive right in and begin by saying that if you don’t take the threat of malware attack on your Smartphone seriously, you’re going to be compromised. Your communications will be monitored, any accounts you access and credentials you use from the phone will be intercepted, your sensitive data will be stolen. To add insult to injury, you might also end up having to pay some attacker for however many premium rate SMS messages your phone sent to their short code number after they’re done stealing your information.

These statements may seem a little far reaching when it comes to the concept of mobile security and Smartphone use, I know. It is much easier to make these statements when talking about a PC running a Windows operating system. In today’s world, if you use Windows, you absolutely must rely on several different security applications to keep your machine safe. Has anyone ever tried to put a Windows XP machine on the wild Internet with no protection? It’s madness.

The most recent statistic I can find for this type of “test” is more than two years old and puts the average infection time at five minutes. That is five minutes from the time that you plug an ethernet cable into an ethernet port of a machine, that has no security applications protecting it, to the time that it has picked up some worm, trojan, botnet, been port scanned a few times, or any of the other ridiculous things out on the wild Internet. I have to wonder why the quick search I just did for this statistic only comes back with data from two years ago? Is it because it’s gotten so bad that people stopped keeping track?

Why, you may be asking, is this guy talking about Windows when he started talking about Smartphones and stealing data? Well, it’s because there are parallels that must be understood in order to be able to make the statements that were made. Windows is NOT the most flawed operating system to ever exist. Windows happens to be the most USED operating system to ever exist. Estimates put the various flavors of Windows somewhere around 90% - 93% of the world PC market. Identity theft and electronic fraud is a multi-billion dollar a year business. In this business it makes almost no sense for the players to spend any significant amount of time researching code and developing exploits for platforms that only make up 7% of the world market. Instead, thousands upon thousands of hours are spent digging into Microsoft and exploiting the lowest hanging fruit that can be found.

This paradigm is playing out in the Smartphone ecosystem as well. Apple says that they hold a tight grip over their App Store. No malicious apps in or out. They have a review process that is supposed to keep the bad things off of your iPhone. So far, it’s worked out pretty well for them. But that does not mean that the iPhone is secure. We know that portions of iOS have been shown to have their fair share of security flaws that have forced Apple to release patches and updates to quickly address the flaws. The lack of malware in the App Store is completely independent of the whether or not there are security flaws in the iOS implementation.

However, Android’s openness in their Android Market has caused attackers to focus their attention on Google’s platform. When it is all said and done, the armchair quarterbacks of information security will end up saying that Android is flawed, where the iPhone is secure. I believe this is going to be a flawed premise based upon the simple fact that Android’s Market allows anyone to publish any app at any time, and expects the community to regulate the content.

It is important to understand the correlation between malicious applications and the research behind their ability to exploit the flaws that they do. Because Apple’s App Store is more likely to weed out malicious apps before they are made available than Android’s Market, those that wish to continue their illegal activity in the Smartphone industry will focus their attention on Android. These individuals will likely drop the heavy research initiatives against the iPhone to find security flaws and they will focus their time and effort on Android. It does no good to find a security flaw in the iPhone, if there is almost no viable means of disseminating the exploit. They’re going to go after the lowest hanging fruit in the Android Market. We’ll call it their M.O.

So, how does Google and Android combat this reality? What do they have in place to attempt to blunt the effect of malware existing in the Market? Their primary means of defense is to educate the user on the importance of installing trusted apps and to use the “permissions declaration” that an app is forced to follow prior to a user installing anything on the handset. Now, we all know that almost no one pays attention to this advice and they just click through the install process on every new, hot app that they want to play with. If we know this, so does the attacker.

What happens when the attacker is able to completely bypass the the single control that Google has implemented to protect the consumer from compromise? What happens if someone is able to trick the permissions declaration into displaying something incorrect or bypassing it all together so that it never even asks the user to approve anything in the install process?

This is exactly what has happened. Early Wednesday morning, a security researcher, who has been doing an incredible amount of analysis of Android’s GTalk services, released a proof-of-concept application into the Android Market that, once it is installed, is capable of installing additional apps in the background without being required to declare the fact that something is happening. In essence, he’s shown that it is possible for one application to install additional malicious applications with no need to declare the permissions they will use.

In his analysis of the GTalk services, Jon Oberheide, identified a token that is used with the Market application (vending.apk) that a developer is able to leverage to bypass the permissions restrictions necessary to allow an app to be installed without the user’s knowledge or consent. In essence, he broke Google’s consumer-facing security control against malicious applications. All he had to do was use a bit of social engineering and the knowledge that users are unlikely to pay attention to what they are installing.

It’s important to state that this application was only in the Market for six hours before it was removed and banned. However, if you look at the application’s Market description, you’ll see the social engineering that was used. He simply hid his proof-of-concept code in a supposed “add-on” for the “Angry Birds” game by Rovio Mobile. ”Angry Birds” is a game that has spread like wild fire through the Android user base. Latest estimates put the download rate at about 6.3 million downloads. Mr. Oberheide simply released an application that purported to be bonus levels for the “Angy Birds” game. It’s simple. It’s ingenious.

In six hours, he was able to get 50 downloads of the application. None of which would have alerted the user to the fact that it just installed three malicious applications that have access to the device’s contacts, location data and SMS functionality. But, it is important to note that the “Angry Birds Bonus Levels” application did require the user to approve the permissions that it needed to be able to function when it is initially installed from the Market. It was the applications being installed in the background that bypassed the notification process that Android relies upon for the user to make intelligent decisions. Let’s take a look at the permissions those 50+ people approved in an application that was meant only to add a few levels to a game about birds:

android.permission.USE_CREDENTIALS
android.permission.INTERNET
android.permission.GET_ACCOUNTS
com.google.android.providers.gsf.permission.READ_GSERVICES

These are the only four permissions this application requests. Even the most technologically illiterate person should be able to read these and know that something is extremely wrong with the things it is trying to have access to do. But there’s a problem. This is not how Android presents the requested permissions to the user. Instead, they have grouped permissions into user friendly descriptions that they might better understand. For example, instead of the “android.permission.USE_CREDENTIALS” permission being displayed, the user would see a declaration that says it would like access to “Your Accounts”. Additionally, the “com.google.android.providers.gsf.permission.READ_GSERVICES” permission would be displayed to the user in the same way, simply “Your Google Accounts”. In my opinion, the user friendly version of the permissions declaration actually hinders the user’s ability to see exactly what is going on because it obfuscates the actual permission that is being requested with a general description of obtuse activities. But, I digress.

What interested parties have seen happen in the last 12 months is that the name Android is being associated with malware, whereas the iPhone and BlackBerry is being associated with secure. I believe the discussion of whether one is more secure than the other is not a question that should be asked of the separate platforms. As we’ve already discussed, code development flaws exist in all platforms. Given the proper amount of scrutiny, security vulnerabilities are sure to be found in the iPhone, BlackBerry and any other platform that will come along. What Android is experiencing is a product of attackers figuring that the Android Market is currently the simplest way to disseminate malware aimed at exploiting vulnerabilities. Since that dissemination method is proven to work, why not focus the research on the platform and use it to their advantage? It’s a cycle that Google and Android can only really address if they change their approach to the Market. But, that’s a whole different discussion.

One final thought, Google is working on an immediate fix to the problem uncovered by Olberheide’s research. Just as Apple and RIM have had to do, a patch will be available to fix the problem shortly.

Mobile Spy Devs at it Again, More Spyware in Android Market

Filed Under: Mobile Security, Mobile Threats, Security
Friday, November 5th, 2010

Those developers at Retina-X are at it again. Retina-X was one of the first commercial spyware developers to venture into the Android platform back in 2009 by porting over their Mobile Spy application to Android. Mobile Spy offers an individual the opportunity to monitor communications and GPS location data of a Smartphone device. This technology is nothing new and even has a viable use case; when developed and used ethically.

There is certainly a legal and ethical case to be made for employers to monitor this type of communication or location data when an employee is using a company provided device. Parents and/or guardians also have the legal right, some would consider it a parental duty, to be aware of what their children are talking about or sending to their friends. The sexting statistics that we’ve discussed at length don’t lie.

The problem that Retina-X and Mobile Spy runs into with mobile anti-virus vendors is that their applications actively hide themselves from the user that is being monitored. It opens up the possibility for someone to purchase or download their app and install it on an unsuspecting user’s device so the attacker can illegally monitor their actions. We’ve seen more stories of this type of software being used to spy on someone or as a tool to aid in illegally stalking a victim than we can count.

In the spring of 2010, Retina-X took their Android release of Mobile Spy a step further and ventured into the Android Market by offering the “Smartphone for Android” applications. These applications enabled much of the same functionality as the original Mobile Spy as well as hiding itself from detection. The only major difference was that the name was changed to seem less harmful. They prettied it up to attempt to get past Google’s sensors (yes, some apps do get banned).

Versions of the “Smartphone for Android” application were released for Android 1.5, 1.6 and 2.x, however, the applications were pulled from the Market at some point. It is unclear when they were pulled or for what reason. Whether the developer pulled them or if Google wielded their “ban hammer” and chucked them out is unknown. Regardless, they are no longer available.

This week, while cruising through the Market, we came across 3 more additions from Retina-X into the Market: “Mobile Nanny”. Just like its predecessor, “Smartphone for Android”, ‘Mobile Nanny” has versions for Android 1.5, 1.6, and 2.1. However, the “Mobile Nanny” description in the Market attempts to obfuscate its origin a bit by no longer using web portals for monitoring data that actually state “mobile-spy” in them. A small amount of investigation reveals that the developer, “Mobile Nanny”, is actually Retina-X and Mobile Spy.

By all accounts, “Mobile Nanny” appears to be a fully functional parental control application like many in the Market. ”Mobile Nanny” offers the ability for a parent or employer to monitor SMS messages, GPS location, and call logs on the device. ”Mobile Nanny” goes further to also offer SMS/Call blocking, time usage restrictions, remote locking and tracking, can block applications from being installed, block web access, or block certain phone capabilities. All of this functionality is remotely configurable and monitored data can be viewed online via the “Mobile Nanny” web portal.

All of this is great. The only problem is that Retina-X continues to hide their application. ”Mobile Nanny” does not offer an application icon in the application drawer. Retina-X and a lot of advocates for this type of software would argue that in order for it to be effective, it needs to be hidden so the child or employee doesn’t delete it from the device. This may be a discussion worth having, but it also offers the ability for someone to use this software to illegally monitor the activities of an unsuspecting user. As such, anti-virus vendors should, and will, continue to label this as spyware to ensure that consumers are able to make the decision of whether it should be installed on the handset or not. If their is a legal right for someone to monitor another’s device, then the user can make the decision to allow it to remain on the handset. However, we want to make sure that unsuspecting users, or victims, are equally aware of its use on their device so they can take the proper actions.

Junos Pulse Mobile Security Suite users will be automatically alerted to the existence of “Mobile Nanny” on their handsets. The Pulse MSS Anti-Spyware engine will detect the installed applications and the on-demand SD card scanning capability will allow the user to be alerted if the application’s installation package exists on their SD card by updating the virus signature database to ensure signatures dated 11/5/2010 have been added to the protection capabilities.

Researchers Discovery Flaws in Android Kernel

Filed Under: Blog, Mobile Security, Mobile Threats, Security
Monday, November 1st, 2010

In what is certain to be a highly read article from Financial Times, a Software Quality and Security Analysis firm, Coverity, has released information about a code review they performed on a portion of the Android kernel that ships with HTC’s Droid Incredible. The information that is being released at this time indicates that 88 “high-risk” defects were among the the programming errors identified with the kernel.

According to Coverity, the number of Android kernel flaws that turned up per thousand lines of codes is lower than the average for open-source projects. However, the findings indicate that they include improper memory access and memory corruption flaws that are likely to lead to security vulnerabilities that could cause data loss or quality problems such as system crashes.

Before we begin the debate between Apple and Android users, let’s not forget that BlackBerry and the iPhone have also been forced to fix critical security flaws in their software through updates. This type of release of information is nothing new. Much to the delight of Android users and HTC, Coverity appears to have followed responsible disclosure practices and reported their findings to the vendor first. Andy Chou, Coverity’s co-founder, has pledged to make the findings public in two months time. This should give HTC plenty of time to address and fix the problems that were identified with their code.

Ok, so if Google and HTC now have the ball in their court, what’s the real problem that the Smartphone community faces? It’s simple. Research has begun. Up to this point, the media and Apple enthusiasts have made a huge stink over the fact that a handful of Android applications in the Market are malicious. It’s important to understand that the malicious applications that have been in the news as of late are not a symptom of a flawed operating system. They are a symptom of the “open” nature of the Android Market.

Google specifically created the Market ecosystem with openness in mind. They want the community to regulate the content, as opposed to Apple’s approach of “reviewing” every application before it is permitted to enter the App Store. Android’s philosophy has its pros and cons, just as Apple’s philosophy does. We’re not going to debate them today…it’s tedious and unproductive. What is productive is to ensure that the users of the various philosophies understand that neither is above reproach, nor do they offer absolute security.

These findings by Coverity might just be the first major analysis of the Android kernel. Just because they only looked at the HTC Droid Incredible for their analysis does not mean that the remainder of Android devices are any different. In fact, it would be safe for other vendors to assume that they need to take a hard look at Coverity’s report and apply the data to analysis of their own kernel implementations.

Because of the nature of Google’s open-source Android project, vendors are free to use the code as they wish. This means that HTC, Samsung, Motorola and all of the other vendors of Android devices are free to take Android’s source code and modify it to meet their needs on their particular device. However, I’d venture a guess and say that not very many of the vendors are modifying the actual kernel in any significant way. The rest of the Android world needs to be looking at their code and fixing any problems as well.

The type of research that security experts have been saying is on its way is the exact type of code review that Coverity has performed. Luckily for us, they are a responsible organization with responsible intentions. As a community, security professionals dread the day that this type of research is performed on any platform by members of the hacker community that would rather use their findings to cause mayhem and steal information. They perform the research, they find the vulnerabilities, they develop the exploit code, then they launch the attacks. When this happens, we find ourselves in what is called a “zero-day” race for vendors to identify the source of the problem, develop the fix and then release the updates to fix the problems. All while attackers are freely exploiting vulnerable devices.

We got lucky this time.

iPhone Jailbreak Weaponized to Include Rootkit

Filed Under: Blog, Mobile Security, Mobile Threats, Security
Monday, October 25th, 2010

In a presentation to the crowd at the ToorCon Hacking Conference in San Diego, a Senior Researcher at Trustwave’s Spider Labs demonstrated that the vulnerability in Apple’s iPhone that has allowed the devices to be jailbroken could also be used to push malware onto the devices and intercept credit card data. Saturday’s demonstration illustrated how the original jailbreakme code could be modified to inject a stripped down remote monitoring application onto the iPhone.

The proof-of-concept code was named “Fat”. According to Eric Monti in an interview with Threatpost, “Fat” was an effort to learn from the work of the team that created the jailbreakme application by “weaponizing” the code. The results of Monti’s work added a rootkit that would remotely control the microphone, SMS, GPS and the camera on the iPhone.

Monti was able to use the rootkit to silently monitor credit card transactions from an iPhone application, “Square”, on an infected device. Though the proof-of-concept code that was demonstrated is harmless and the vulnerabilities that were exploited have been patched by Apple since early August, the point of the demonstration is that the iPhone is no less of a security concern than any other Smartphone platform in use.

Apple’s claim to security fame of having a secure device is made on the back of their review process for applications before submission into the App Store. The presentation of “Fat” demonstrates that Apple’s iPhone is just as vulnerable to attack as any other platform out there. In this particular case, all an attacker would need to do is redirect a browser session to a malicious website that operates in the same manner, with modified code, as the jailbreakme sites that are currently jailbreaking iPhones today.

As the iPhone begins to outsell BlackBerry’s in the world markets, we’ll start to see more research of this nature. Apple will continue to play wack-a-jailbreaker in their effort to keep their tight grip over users being able to install 3rd party apps on their own devices. But in doing so, they may be lulling their customers to sleep with a false sense of security. But the question remains: Is Apple’s model of control over the App store a better model than Android’s model of allowing the community to police the content of their Market?

Its unmistakable that Android has seen its fair share of malware over the last 12 months. This can be directly attributed to the fact that there is no review process for apps in the Market. But at least users are becoming educated about what they need to do when they are installing applications. Can the same be said about the iPhone. Is the security knowledge level as high as it is among the learning Android user base?

FakePlayer Receives 3rd Monthly Update

Filed Under: Mobile Security, Mobile Threats, Security
Thursday, October 14th, 2010

Yesterday marked the 3rd month in a row that the Russian SMS trojan, FakePlayer, received an update to the Android application that has served as a bit of a “black swan” event. In August, the Global Threat Center began reporting on the existence of the first trojan horse application that affects Android devices.

FlakePlayer, as it was dubbed, appears to be a very rudimentary application that attempts to send SMS messages to premium rate numbers. Because of the nature of short code numbers and SMS, this trojan was thought to only work in Russian networks.

Nearly a month later, in September, we reported on a new variant to the original FakePlayer trojan that incorporated a few changes to what the user would see, the propagation method, and how it operates in the background. We also mentioned that that the new variant was being referred to as PornoPlayer.

The 2nd version of the SMS trojan used SEO techniques to achieve prominent placement in search results for Russian websites. One of the most visible changes to the 2nd version was that the application icon, that is visible to the user, showed an adult image. Secondly, the premium rate numbers that the SMS messages were sent to in the background were changed, causing the cost for every SMS message sent to be about $6 (about 170 Russian rubles). The version new for the month of September also changed the archive name from RU.apk to pornoplayer.apk.

Now, nearly a month later from the 2nd version update, we’re seeing a 3rd version of the Russian SMS trojan FakePlayer. This version continues to use the same SEO techniques for propagation and the archive name, pornoplayer.apk, stayed the same. So what has changed in the 3rd version?

If infected, the user will once again see the original application icon that resembles the Windows icon for Microsoft’s Media Player, but the application name remains PornoPlayer.

FakePlayer’s new version now sends SMS messages to two premium rate numbers to charge the victim. Just as in the 2nd version of FakePlayer, the 3rd version sends SMS messages to 7132, but it has added a second number of 4161 to the background process that will charge the user $6, or 170 rubles.

As far as we can tell, there are no other changes to this version of the Android SMS trojan application. The Global Threat Center continues to believe that this application will still only work within Russian provider networks. However, it remains important for users to remain vigilant of their phone bill and look for any unauthorized charges. As is normal for all Android applications, the FakePlayer SMS trojan must present the user with the permissions that it needs access to before it can be installed.

In the case of all three of these versions of FakePlayer, the application plainly requests permission to access “Services that cost you money”. It remains incumbent upon the Android user to ensure that they are installing applications that request permissions that make sense for what the application is supposed to do. In this case, a media player application should not be requesting permission to access “Services that cost you money”. Users must simply stay alert when they’re installing Android applications, both from the Android Market or from 3rd party sources…wherever they may be.

ZeuS Mitmo Trojan Chips Away at PC/Mobile Malware Barrier

Filed Under: Mobile Security, Mobile Threats
Monday, September 27th, 2010

For several years, security researchers have been doing all we can to tell the public that attackers are after their money. I remember back in 2006, when I separated from the Marine Corps and joined a small company in Columbus, Ohio that performed Risk Assessments, Security Assessments, Vulnerability Assessments and other Information Security related services for our client base. One of the services we provided was to gather IT professionals in the area together to discuss what we called the State of the Threat. One of the predominant themes of these briefings was to inform all that would listen that the security paradigm had shifted from one of notoriety amongst the cracker community to organized crime using the same techniques to swindle money from unsuspecting users.

The paradigm shift saw less and less attacks aimed at defacing websites and began to see more attacks designed to steal personal and banking information that could be used for identity theft or direct access to funds. We’ve seen countless examples of Social Security Numbers being stolen in massive amounts. Several notable incidents revealed company’s names being raked through the mud for falling prey to attacks that left million upon millions of credit card numbers in the hands of attackers, and on and on.

In the mobile space, malware distribution appears to be almost evenly split between spyware that could allow someone to spy on the communications of an unsuspecting user and trojanized applications that appear to do one thing, while sending sending SMS messages in the background to premium rate numbers, owned by the attacker, which transfers small amounts of money from the user’s mobile account to the attacker’s account. However, in nearly all of these examples of mobile malware, the attackers must trick the intended user into downloading and installing the malicious application to their Smartphone handset.

Up until this point, PC malware and mobile malware have been relatively segregated. We’ve only seen random instances where attackers have attempted to leverage one to get access to the other. Vodafone was caught shipping Android devices with the Mariposa botnet pre-loaded on the device’s SD card. When the user would plug their Android device into their PC, via USB, the Mariposa botnet would attempt to infect the user’s PC. We’ve also seen a handful of instances where jailbreaking Apple’s iPhone could lead to malware infecting the user’s machine. However, none of these instances appeared to leverage PC malware to infect a mobile device, in order to gain access to a users money…until now.

Over the weekend we saw reports of the first PC trojan leveraging mobile malware to attempt to interject itself into security mechanisms employed by financial institutions. Since identity theft and bank account fraud is common amongst malicious PC applications, many financial institutions have instituted secondary methods to identify their users. One such method that is being employed is for the financial institution to use SMS as a means to authenticate the user. This means that in a lot of cases, a malicious application stealing a user’s username and password for the online banking website may not be enough information to gain access to the user’s account.

Enter a well-known PC trojan, ZeuS, that has been effectively stealing banking credentials for some time now. ZeuS Mitmo (Man-in-the-Mobile) now attempts to answer these new security mechanisms by injecting itself into the SMS authentication scheme, as well as stealing the login credentials for the user’s banking institution. This iteration of ZeuS, as a means to stealing bank account information, relies on tricking the user into installing the ZeuS application on their PC using some sort of social engineering attack. Once it is installed, the next time the user logs into their bank’s website, their credentials will be captured. ZeuS Mitmo then goes on to present the user with a spoofed dialog that attempts to get the user to accept SMS as an authentication scheme from their bank. In doing so, they’ll need to enter the number and manufacturer for their Smartphone so they can receive the “security certificate” necessary to allow the SMS authentication to function properly. In reality, the “security certificate” is actually a malicious application that is capable of monitoring SMS messages in the case where the bank has implemented the secondary SMS authentication requirements to gain access from an unknown location. In addition to monitoring SMS messages, the malicious application that is installed also has the ability to open a backdoor channel that can be used for command and control.

At this point, ZeuS Mitmo can infect Symbian and BlackBerry devices. By answering the questions that are presented by the spoofed dialogue, the user is giving ZeuS all of the information that is necessary to determine which version of the mobile application it needs to send to the device for installation. A complete analysis of mobile applications has been posted here. By all accounts, ZeuS is functional, if not a difficult implementation and means of answering the question posed by financial institutions who attempt to look outside of the wired PC network to ensure the identity of their users.

MMS Bomber Attacks China

Filed Under: Blog, Mobile Threats
Monday, April 5th, 2010

Over the Easter weekend, there were stories coming out of China about a ‘virus’ called ‘MMS Bomber’ that was running rampant through Chinese smartphones. Conservative estimates put the infection rate at 100’s of thousands to possibly more than a million devices were affected by the virus that appeared to be spreading over MMS.

Proper analysis of the malware in question revealed that a multitude of Chinese users had been affected by a new variant, Yxe.e, of the Worm.SymbOS.Yxe family of worms. The Yxe worm is widely known to be the very first malicious program that was able to infect Symbian S60 3rd Edition devices that also had a valid digital signature. Yxe.e’s predecessors (Yxe.a - Yxe.d) had the following functionality:

• Spread via SMS messages which contained a link to the worm
• Used social engineering in order to trick victims
• Harvested data about the smartphone from the device
• Sent the harvested data to a cybercriminal server
• Attempted to terminate third party applications designed for working with the smartphone’s file system or with active applications

Yxe.e adds in the following additional capabilities:

• Sends MMS messages containing a link to itself, and, attached, a black and white skull and crossbones image (Skuller, a Trojan which first appeared in 2004, also used a skull and crossbones)
• Connects to a Chinese social networking site
• Downloads files
• Block the smartphone’s Software Manager, making it more difficult to delete the malware

The Yxe.e worm currently spreads via MMS that includes social engineering as the means to trick the user into following a link to a website that will allow them to download and install the malicious program. Once the malicious application is installed on the victim’s device, Yxe.e automatically begins harvesting information about the device and sends it off to a server that is controlled by criminals, via SMS. Yxe.e will then attempt to stop several processes on the Symbian device that could assist the victim in identifying the malicious nature and/or from uninstalling the malicious application. In an attempt to propagate itself, Yxe.e will then begin crafting and sending MMS messages to phone numbers in the device address book that contains the URL to download the malicious applications, all at a cost to the user of the infected device. Yxe.e is also known to attempt to connect and spread itself via a Chinese social networking site.

It is believed that infections of the Yxe.e worm have been limited to devices operating within China. Symbian devices make up the largest percentage of smartphone devices in use outside of the U.S. However, Symbian devices make up merely a fraction of the market share of smartphones in the U.S. and North America.

As is the case with every malware threat that affects BlackBerry, iPhone and Android devices, the Yxe.e worm requires that the user manually install the malicious program, albeit under false pretenses. SMobile Security Shield currently provides detection and removal of this Symbian threat.

Study of Android Malware in the Market

Filed Under: Mobile Threats, Security
Monday, March 29th, 2010

The SMobile Global Threat Center (GTC) has released a study of malicious applications that currently exist in the Android Market. This study attempts to identify applications that are available for download that either market themselves as spyware, or have the ability to be used as a spying application against an unaware user. SMobile identifies and categorizes malicious applications that could enable illegal spying based upon the fact that the application lends the ability to hide itself from detection from a user. According to information security managers around the world, spyware represents the greatest threat to intellectual property or proprietary information manipulated on mobile devices. Law enforcement officials have stated that spyware could lead to identity theft, loss of sensitive, personal or financial information, and is often used to illegally track the movements and communications of consumers.

To continue reading, download the full report:

Android Malware in the Market

FlexiSpy Dives into Android

Filed Under: Mobile Threats
Tuesday, March 23rd, 2010

Over the last month, I’ve written two lengthy whitepapers discussing malware affecting Android devices. The first whitepaper looks at some spyware applications that are avialable for Android that have not yet been published to the Android Market. In that paper we discussed Mobile Spy and MobiStealth, as well as the bank phishing app from Droid09 that actually made it’s way into the Market for a short period of time before the community reacted and had it taken down.

The second whitepaper has yet to be published, but as a sneak peak, we take an in depth look at Android spyware that is currently in the Android Market and being marketed as tools to facilitate “legal” spying, as well as “illegal” spying. The handful of applications from various developers that we found used different methods to hide themselves from detection, which is the determining factor when SMobile categorizes an application with monitoring capabilities as spyware.

Call it job security or bad luck, but almost as soon as I was done with these papers we found that FlexiSpy published their first version of spyware for Android. As you may or may not remember, FlexiSpy is widely considered to be the leader in spyware for smartphones. To date, they offer versions of their software for Symbian, Windows Mobile, BlackBerry, iPhone and now Android. Various versions of FlexiSpy offer different levels of spying capabilities at different cost to the consumer.

Though there are now a multitude of imitators attempting to compete with FlexiSpy’s capabilities, it is undeniable that FlexiSpy did the lion’s share of the initial work in developing the capabilities necessary to make these types of applications a reality. Traditionally, FlexiSpy offers the ability for an attacker to:

• Read the victim’s call records
• Determine device’s GPS location
• Read SMS and Email messages
• Listen in on actual phone calls as they are in progress
• Notify the attacker when the SIM has been changed
• Can activate the device’s microphone (spy call) in order to listen to ambient room conversation
• Remote configuration of the spyware via undetectable SMS messages
• Central management of acquired logs via web portal

Fortunately for unsuspecting victims, the version of FlexiSpy that was just released for Android devices only allows an attacker to read the victim’s call records, read SMS messages, and determine GPS location. Well, I guess that’s still enough to be considered spying. However, as a means to further ingratiate themselves with those that would want to illegally spy on someone’s activities, FlexiSpy is being generous enough to offer the Android version of their app for free for personal use. If you would like to use FlexiSpy for “professional use”, you’ll have to check back later to see if they have published their professional version.

As we’ve already seen FlexiSpy do, they’ll likely begin to ask their customers to consider SMobile’s anti-virus/anti-spyware software to be considered malware. According to FlexiSpy, who are we to “interfere with legitimate, legal and accountable software”? I mean, who appointed us judge, jury and executioner anyway?

As long as service providers, enterprises, and consumers turn to SMobile to protect the privacy of their personal information and communications, we’ll continue to identify, categorize and “interfere” with applications that attempt to illegally monitor the activities of unsuspecting users. Besides, if you have our software and it tells you that FlexiSpy is installed and asks you if you would like to remove it, if you already know it’s on there…what’s the problem? Right?

SMobile GTC Sees Android Malware Coming

Filed Under: Blog, Mobile Security, Mobile Threats
Friday, March 12th, 2010

Open source versus closed source. It’s a discussion that often leads to heated arguments and one that will likely continue well beyond its usefulness. The discussion began before many of us realized there would need to be terms such as “malware” and the often incorrectly used “hacker”. Regardless of what side of the discussion you come down on, the term Android has not helped to lessen the veracity of the debate. Since Google released the first Smartphone operating system that was supposed to be completely open source, the debate between BlackBerry, Windows Mobile, iPhone and Symbian users continues to get louder.

Whether you’re new to the Smartphone revolution or are an Android convert from some other platform, there is a reason that you chose Android. Some wanted to break the stuffy business-like feel of the BlackBerry. Others were excited about the possibilities that an operating system built on a Linux kernel with incredible customization capabilities brings. Some wanted something that was friendly or easier to use than the Windows Mobile or their Symbian device. Then there are the ones that just want to be anti-Apple. There are just as many anti-everything-Apple as there are Apple “fanboys” in the world. There are also those that just got a deal from their provider that they couldn’t refuse. Regardless of the reason, Andriod’s market share is growing….

To continue reading, download the full Android Malware Whitepaper

BlackBerry™ is a trademark of Research In Motion Limited. Windows Mobile™ is a trademark of Microsoft Corporation Symbian™ is a registered mark of Symbian Ltd. SMobile Systems Inc. is not endorsed, sponsored or affiliated with any of the respective companies