Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

android

The history of mobile threats, 2004 to 2015

Sophos have created this timeline of mobile threats going back to 2004. It’s by no means comprehensive, but it gives you a good idea of how threats have evolved in a short period of time.

sophos-mobile-malware-infographic-700

Advertisements

RSA’s September Online Fraud Report 2012 including a summary of rogue mobile apps

In their September Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below

Threats and risks in today’s mobile app marketplace

In terms of mobile security, some mobile application (app) platforms, such as Apple’s AppStore, are known to employ strict rules to which application developers are obliged to adhere.

Other mobile app platforms, such as Android’s Google Play, are more flexible with regards to mobile apps. While providing application developers with a programming platform that is optimized for convenience and ease-of-entry into the app marketplace, it is these very qualities that have made Android the most heavily targeted mobile operating system, with Android apps by far the most widely used vehicle for spreading mobile malware.

Apps are one of the driving forces behind today’s smartphone market. Their download to mobile phones makes them an attractive new attack vector for cybercriminals along with other mobile phone attributes: the shortened URL, low security awareness among users, and the ease of copying a mobile webpage’s layout for malicious purposes.

This risk extends to the corporate setting with companies increasingly adopting Bring- Your-Own-Device (BYOD) policies, in which employees’ devices double as platforms for both personal and work-related communications. Apps that intercept a mobile user’s email and phone communications for example, may gain access to corporate communications, as well.

Types of Rogue App Payloads

According to a research study on Android malware conducted by the Department of Computer Science at North Carolina State University, 86% of Android mobile-malware payloads are repackaged with legitimate apps and are not standalone, making their detection more difficult. The same study found that many others piggyback on genuine app updates to remain undetected.

The payloads these apps install after being downloaded to a device vary widely, and can include:

  • SMS Sniffers. Apps that covertly collect SMS text messages, including passwords sent to users’ handsets, and forward this information to a remote drop point. Some of these include other stealth features to avoid raising the user’s suspicion, for example, functionality that turns off the alarm sound when new text messages are received and hides all incoming messages
  • Premium dialers. Apps that install themselves on the user’s handset and start dialing phone numbers or sending dummy text messages to premium-rate service numbers. This type of operation requires the setup of a bogus merchant, along with a fraudulent merchant ID through which cybercriminals can collect funds unwittingly siphoned out of user’s accounts. Handset owners would only become aware of the scam when seeing their bill the following month
  • SEO enhancers. Apps that repeatedly access a certain website, or websites, to increase their rankings in search engine’s results
  • Ransomware. Apps that lock a user’s handset and demand payment from users in return for relinquishing control of the mobile device
  • Spyware. Apps that send the attacker or spy (via a remote drop point) information garnered from a victim’s device including GPS data, intercepted calls and text messages, and phone contacts
  • Botnet clients / Bridgeheads. Apps that communicate with a cybercriminal via a command & control (C&C) server. These may be used as infrastructure for further malware downloads, much like ready-made PC botnets whose infected systems await to download banker Trojans or other malware pushed from the C&C server. These payloads act as a bridgehead by giving the perpetrator an initial foothold on the compromised device. The payload opens a port on the device, and listens for new commands issued from the fraudster’s C&C point. Later on, an encrypted payload may be downloaded to the user’s device

Android apps and their exploitation

At the end of H2 2012, Google announced that the number of devices running Android has reached 400 million, representing 59% of the world’s smartphone market. And to date, Android’s open source code platform has led to the publication of over 600,000 mobile apps. Android’s source code is based on the Java programming language, and its ease of use and low publisher entry fee has made it the most widely targeted mobile platform by malware developers, and the most widely attacked by today’s Trojans. The increased risk for Android app users has already led several anti-virus companies to release AV software for Android-run devices.

A Secure Venue for Apps

The official venue for Android applications is called “Google Play” (formerly known as “Android Market”). By default, each handset running Android is configured to exclusively allow the installation of apps downloaded from Google Play, and to block installation of apps downloaded from any other venue. This is to ensure a minimal level of security.

Downloading apps from Google Play provides an extra security benefit to Android users, as the store provides a “Remote Application Removal” feature, which allows apps that are retrospectively identified by Google as being malicious to be removed from relevant users’ handsets.

Another important security feature added to Google Play is “Google Bouncer,” which scans new apps, acting as a gatekeeper to keep out those identified as malicious.

Despite Android’s default Google-Play-only settings, Android users can still choose to install apps from venues other than Google Play by manually changing their devices’ security settings. Aware of the security issues this may raise, Android users are presented with a warning message when selecting this option.

Android App Permissions

As a second security measure, prior to the installation of an Android app on most Android-based OSs, the app requests certain system permissions, all which have to be approved before the app can be installed on the device. Whereas legitimate apps normally request only one or two permissions, rogue apps are known to request a long list of permissions before installing themselves.

Currently, this is the main security obstacle for rogue Android apps, which some Trojan coders have managed to bypass through socially engineered schemes. For example, RSA has previously detected a mobile-malware app (SMS sniffer), which presented itself as security software. The app requested nine different permissions, including permission to boot the handset, change system settings, and send text messages. Unsurprisingly, the app was offered from a standalone domain not affiliated with any app store.

RSA’s Conclusion

Today, the payload app may remain on a device even after the host app (with which it was downloaded) has been removed. This makes initial detection and removal of the app from the app store that proffers it even more crucial.

As with PC-based malware, educating consumers to raise awareness of today’s mobile threats and urging them to take precautions against rogue apps, will be of paramount importance to mitigating mobile threats in years to come.

Phishing Attacks per Month

In August, 49,488 unique phishing attacks were identified by RSA, marking a 17% decrease from July. The bulk of this decrease is a result of fewer phishing campaigns launched against European financial institutions which have accounted for significant spikes in recent months.

Number of Brands Attacked

In August, 290 brands were subject to phishing attacks, marking a 20% increase from July. This considerable increase shows that cybercriminals are expanding their phishing targets wider, to new organizations and new industries not targeted in recent months. More than half of the brands affected by phishing in August were targeted by more than five phishing attacks.

US Bank Types Attacked

In the U.S. financial sector, nationwide banks experienced a 7% decrease in phishing attacks. However, brands in this segment continue to be most targeted by phishing attacks, hit by two out of every three attacks in August.

Top Countries by Attack Volume

In August, the UK continued to get hit by the majority of worldwide phishing attack volume for the sixth consecutive month, accounting for about 70% of all global phishing volume. The U.S. and Canada continued to remain second and third on the list.

Top Countries by Attacked Brands

In August, the U.S., UK and Australia were the top three countries whose brands were most affected by phishing, targeted by 45% of global phishing attacks during the month.

Top Hosting Countries

The U.S. hosted the vast majority of phishing attacks in August with 80%, followed by Canada, the UK and Germany.

Previous RSA Online Fraud Report Summaries:

  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

Best Practice Guidelines for Enterprises – an IT Security Guide

Image representing Symantec as depicted in Cru...
Image via CrunchBase

In Symantec’s Intelligence Report: June 2011 they produced a Best Practice Guidelines for Enterprises wishing to improve their IT Security.

The details of the Best Practice Guide are below. 

1. Employ defense-in-depth strategies: Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network.

2. Monitor for network threat, vulnerabilities and brand abuse. Monitor for network intrusions, propagation attempts and other suspicious traffic patterns, identify attempted connections to known malicious or suspicious hosts. Receive alerts for new vulnerabilities and threats across vendor platforms for proactive remediation. Track brand abuse via domain alerting and fictitious site reporting.

3. Antivirus on endpoints is not enough: On endpoints, signature-based antivirus alone is not enough to protect against today’s threats and Web-based attack toolkits. Deploy and use a comprehensive endpoint security product that includes additional layers of protection including:

  • Endpoint intrusion prevention that protects against un-patched vulnerabilities from being exploited, protects against social engineering attacks and stops malware from reaching endpoints;
  • Browser protection for protection against obfuscated Web-based attacks;
  • Consider cloud-based malware prevention to provide proactive protection against unknown threats; o File and Web-based reputation solutions that provide a risk-and-reputation rating of any application and Web site to prevent rapidly mutating and polymorphic malware;
  • Behavioral prevention capabilities that look at the behavior of applications and malware and prevent malware;
  • Application control settings that can prevent applications and browser plug-ins from downloading unauthorized malicious content;
  • Device control settings that prevent and limit the types of USB devices to be used.

4. Use encryption to protect sensitive data: Implement and enforce a security policy whereby sensitive data is encrypted. Access to sensitive information should be restricted. This should include a Data Loss Protection (DLP) solution, which is a system to identify, monitor, and protect data. This not only serves to prevent data breaches, but can also help mitigate the damage of potential data leaks from within an organization.

5. Use Data Loss Prevention to help prevent data breaches: Implement a DLP solution that can discover where sensitive data resides, monitor its use and protect it from loss. Data loss prevention should be implemented to monitor the flow of data as it leaves the organization over the network and monitor copying sensitive data to external devices or Web sites.DLP should be configured to identify and block suspicious copying or downloading of sensitive data.DLP should also be used to identify confidential or sensitive data assets on network file systems and PCs so that appropriate data protection measures like encryption can be used to reduce the risk of loss.

6. Implement a removable media policy. Where practical, restrict unauthorized devices such as external portable hard-drives and other removable media. Such devices can both introduce malware as well as facilitate intellectual property breaches—intentional or unintentional. If external media devices are permitted, automatically scan them for viruses upon connection to the network and use a DLP solution to monitor and restrict copying confidential data to unencrypted external storage devices.

7. Update your security countermeasures frequently and rapidly: With more than 286M variants of malware detected by Symantec in 2010, enterprises should be updating security virus and intrusion prevention definitions at least daily, if not multiple times a day.

8. Be aggressive on your updating and patching: Update, patch and migrate from outdated and insecure browsers, applications and browser plug-ins to the latest available versions using the vendors’ automatic update mechanisms. Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Be wary of deploying standard corporate images containing older versions of browsers, applications, and browser plug-ins that are outdated and insecure. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organization.

9. Enforce an effective password policy. Ensure passwords are strong; at least 8-10 characters long and include a mixture of letters and numbers. Encourage users to avoid re-using the same passwords on multiple Web sites and sharing of passwords with others should be forbidden. Passwords should be changed regularly, at least every 90 days. Avoid writing down passwords.

10. Restrict email attachments: Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. Enterprises should investigate policies for .PDFs that are allowed to be included as email attachments.

11. Ensure that you have infection and incident response procedures in place:

  • Ensure that you have your security vendors contact information, know who you will call, and what steps you will take if you have one or more infected systems;
  • Ensure that a backup-and-restore solution is in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss;
  • Make use of post-infection detection capabilities from Web gateway, endpoint security solutions and firewalls to identify infected systems;
  • Isolate infected computers to prevent the risk of further infection within the organization;
  • If network services are exploited by malicious code or some other threat, disable or block access to those services until a patch is applied;
  • Perform a forensic analysis on any infected computers and restore those using trusted media.

12. Educate users on the changed threat landscape:

  • Do not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the Internet (if such actions are permitted) unless the download has been scanned for viruses;
  • Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends;
  • Do not click on shortened URLs without previewing or expanding them first using available tools and plug-ins;
  • Recommend that users be cautious of information they provide on social networking solutions that could be used to target them in an attack or trick them to open malicious URLs or attachments;
  • Be suspicious of search engine results and only click through to trusted sources when conducting searches, especially on topics that are hot in the media;
  • Deploy Web browser URL reputation plug-in solutions that display the reputation of Web sites from searches;
  • Only download software (if allowed) from corporate shares or directly from the vendors Web site;
  • If users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (fake antivirus infections), have users close or quit the browser using Alt-F4, CTRL+W or the task manager.

The Symantec Security Response web page can be found here.

.

Mobile Device Vulnerabilities at an all time high

Juniper Networks @ Sunnyvale, CA
Image by DIKESH.com via Flickr

In study commissioned by Juniper Networks the study found that enterprise and consumer mobile devices are being exposed to a record number of security threats.

The study’s key findings Include:

  • App Store Anxiety: The single greatest distribution point for mobile malware is application download, yet the vast majority of Smartphone users are not employing an antivirus solution on their mobile device to scan for malware
  • Wi-Fi Worries: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications
  • The Text Threat: 17 percent of all reported infections were due to SMS Trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise
  • Device Loss and Theft: 1 in 20 Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued
  • Risky Teen Behavior: 20 percent of all teens admit sending inappropriate or explicit material from a mobile device
  • “Droid Distress”: The number of Android malware attacks increased 400 percent since Summer 2010

“These findings reflect a perfect storm of users who are either uneducated on or disinterested in security, downloading readily available applications from unknown and unvetted sources in the complete absence of mobile device security solutions,” said Dan Hoffman, chief mobile security evangelist at Juniper Networks.

“App store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation. There are specifics steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand.”

“The last 18 months have produced a non-stop barrage of newsworthy threat events, and while most had been aimed at traditional desktop computers, hackers are now setting their sights on mobile devices. Operating system consolidation and the massive and growing installed base of powerful mobile devices is tempting profit-motivated hackers to target these devices”, Jeff Wilson, principle analyst, Security at Infonetics Research.

“In a recent survey of large businesses, we found that nearly 40 percent considered smartphones the device type posing the largest security threat now. Businesses need security tools that provide comprehensive protection: from the core of the network to the diverse range of endpoints that all IT shops are now forced to manage and secure.”

The study specifically reports the following:-

  • 400 percent increase in Android malware since summer 2010
  • 1 in 20 mobile devices was lost or stolen, requiring locate, lock, or wipe commands
  • 20% of all teens admit sending inappropriate or explicit pictures or videos of themselves from a mobile device
  • 61% of Juniper Networks-detected malware infections are from spyware
  • 17% of Juniper Networks-detected mobile malware infections are from SMS Trojans
  • Mobile malware grew 250% from 2009 to 2010
  • 1 in 20 mobile devices is lost or stolen, risking loss of confidential and sensitive data.
  • 83% of teens use mobile technology to stay connected with friends and family.
  • 20% of all teens have been cyberbullied through a mobile device.
  • 20% of all teens admit to sending inappropriate or explicit pictures or videos of themselves from a mobile device.
  • 20% of teens admit to having sent inappropriate or explicit pictures or videos from their cell phones
  • 39% of teens admit to sending sexually suggestive messages from their device
  • 29% of teens admit that they are sending suggestive messages, or inappropriate and explicit pictures or videos to someone they have never met
  • 44% of teens admit that it is common for suggestive messages that were received to be shared with someone else

The study recommends the following: 

For Consumers:

  • Install an on-device anti-malware solution to protect against malicious applications, spyware, infected SD cards, and malware-based attacks on the device
  • Use an on-device personal firewall to protect device interfaces
  • Require robust password protection for device access
  • Implement anti-spam software to protect against unwanted voice and SMS/MMS communications
  • For parents, use device usage monitoring software to oversee and control pre-adult mobile device usage and protect against cyberbullying, cyberstalking, exploitative or inappropriate usage, and other threats

For Enterprises, Government agencies and SMBs:

  • Employ on-device anti-malware to protect against malicious applications, spyware, infected SD cards and malware-based attacks against the mobile device
  • Use SSL VPN clients to effortlessly protect data in transit and ensure appropriate network authentication and access rights
  • Centralize locate and remote lock, wipe, backup and restore facilities for lost and stolen devices
  • Strongly enforce security policies, such as mandating the use of strong PINs/Passcodes
  • Leverage tools to help monitor device activity for data leakage and inappropriate use
  • Centralize mobile device administration to enforce and report on security policies

For further details, click here

.

A short history of Android security issues

In its recent study, Juniper Networks uncovered some very interesting facts on the growing risk to Android base mobile devices.

The time line for the development of the threats is as follows

Android Attacks: 2010

  • January 2010: First bank phishing application for Android
  • March 2010: First Android “botnet”
  • July 2010: GPS monitoring embedded in Tap Snake game
  • August 2010: First Android SMS Trojan
  • November 2010: “Angry Birds” proof-of concept malware demonstrated
  • December 2010: First pirated Android application, Geinimi

Android Attacks: 2011

  • January 2011: ADRD and PJApps available in China
  • March 2011: Myournet/DroidDream, the first Android malware available and distributed through Android Market on a large scale, affects 50,000 users.
  • Google’s solution, the Android Market Security Tool, was also pirated and turned into malware in China.
  • April 2011: Walk-and-Text pirate puts egg on users’ faces.
  • April 2011: Research at IU Bloomington results in “Soundminer” proof-of-concept communications interception application.

Overall there was a 400% increase in Android malware since summer 2010

In summary, the bad guys have see the growth of the Smartphone market and are turning their skills into the development of tools and attack vectors for the operating systems on them, including Android.

.

Smartphone users at risk of ID Fraud

Image representing Equifax as depicted in Crun...
Image via CrunchBase

Credit reference agency Equifax has recently released its research into the implications of Smartphone Theft on Identity Fraud.

The findings of the reasearch are very interesting as they show how cavalier Smartphone owners are with their information and Identity.

The highlights of the research are below:

  • 94% of consumers fear identity fraud and theft yet many keep too much personal data on mobile devices
  • 54% of second-hand phones contain personal data including texts, emails and even banking details, identity fraud expert Equifax is urging consumers to think about what personal data they store on their mobile phone and ensure they delete all data from both the phone and SIM card before recycling or selling it
  • 40% of smartphone users also don’t use the passcode function, leaving them vulnerable to ID fraud. And this jumps when looking at the younger generation that have most embraced the new technologies
  • 62% of 22-25 year olds use their smartphone to regularly check their online banking. Yet despite fears about identity theft, 69% do not use a passcode function on their phone
  • 35% admit to regularly clearing their browsing history after they use online banking. It’s also this generation where there’s probably more chance of them having personal items stolen when out shopping or in bars and clubs, making them the perfect target for fraudsters

 EQUIFAX’S SMARTPHONE SECURITY TIPS

  • Always use the PIN function on your handset
  • Don’t store reminders of passwords on your phone
  • Think about which accounts you access from your phone – would it be better to wait until you’re at the security of your home
  • Wipe browser history, especially if reviewing online banking
  • Keep an eye out for malicious software masquerading as apps
  • Keep your smartphone safe at all times
  • Delete all personal information from the phone and the SIM card before recycling or selling your phone

Read the full press release here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: