All the world’s a Stagefright

Stagefright

Here’s how security vulnerabilities are supposed to be handled. One, a researcher discovers an issue. Two, the people who make the software find a solution. And three, the solution is then made available, ideally by automatic update. That’s what Windows does, and what Apple does. It isn’t always as fast as it should be, but at least once the fix exists it’s available almost instantly.

Here’s how it works with Android.

  1. A researcher discovers a vulnerability.
  2. Google says “la la la can’t hear you” for a year or so.
  3. After lots of media coverage Google says it’ll fix the hole.
  4. Google creates a fix and promises to bring it to the Nexus range in two or three months.
  5. Google gives the fix to manufacturers who say they’ll roll it out at some point, maybe, when they get round to it.
  6. The manufacturers get round to it and submit their version to the phone networks, who say they’ll totally bring it out at some point, oh yes siree!
  7. The vulnerability that the fix will eventually fix evolves so that the fix doesn’t fix it any more.
  8. Google says “la la la can’t hear you”.

Read the whole story at: The Times of India

Dropbox Makes PDF Viewing Less Painful, Adds Push Notifications For Shared Folders

Dropbox-Logo-BGJust a few days after adding a new set of features to Dropbox for Teams, the cloud storage company rolled out a new version of its iOS application which introduces a few useful additions as well. For starters, it has added an improved PDF viewer, which lets you navigate to any page in the document by tapping on the thumbnail. It’s rather awesome, in fact. The update also introduces push notifications for folders shared with you – a feature that’s now available on Android, too.

dropbox-pdf-viewerThe revamped PDF viewer will be particularly welcome for business users, as it not only offers the multi-page layout for easier navigation, it lets you search for keywords or phrases in the PDF file, too. An interesting side note on this – Dropbox is actually using a paid, third party component called PSPDFKit for the viewer. Dropbox’s Stephen Poletto shared this news on Twitter earlier today.

Another new addition which will again appeal to professionals on the service, is the ability to now sort files by the date they were modified – that’s handy for those using shared folders as they collaborate on files that are under revision.

A small thing, perhaps, in the grand scheme of things, but one that’s going to make life easier on a large number of users.

It’s also shows that Dropbox is thinking about the kind of things its business users need. The little pain points that, when combined, can add up to an overall poor experience.

The push notifications option will alert users when someone shares a folder with them. This feature will be handy for both consumers and enterprise alike. While it’s new to Android and iOS, the PDF viewer has not yet made its way to Android at this time. That should change soon, though, as Dropbox tries to keep its platform releases relatively close together.

The updated app is here on iTunes, and the Android version is here.

Credit: TechChurch

Ladies with few clothes tend to cause a lot of trouble on PCs – and now on Android devices too

Cross-posted from Surelist

The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but we’ve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland.

Spreading

Trojan-SMS.AndroidOS.Vidro is spread via porn sites. The mechanism is very similar to the way the very first Android malware (Trojan-SMS.AndroidOS.FakePlayer) spread. If the user visits a porn site with a desktop browser he will see something similar to this:

208193738

But if the potential victim somehow visits the same website using an Android device, a porn web site will be ‘optimized’ for the smartphone:

208193731

After clicking on the link ‘Watch Now’, the user will be redirected to the web site called ‘Vid4Droid’ (vid4droid.com) which suggests to the victim that they download ‘The new Sexvideo App’:

208193732

A click on the ‘Install’ button will redirect the victim to a page containing an automatic download start which contains instructions on‘how-to-install-our-super-porno-app’ with a reminder to allow an installation of applications from unknown sources:

208193733

Vidro description

After the installation of Vidro the following icon can be found in the main menu:

208193734

If the victim launches malware the first thing he’s going to see is the dialog box which invites him to agree with the terms and conditions.

208193735

But the ‘funny’ fact is that there’s no EULA and/or terms and conditions in the app. In other words, even if those conditions exist, there’s no possibility to read them. After clicking ‘Yes’ an SMS message to will be sent to a premium rate number. The premium rate number is 72908 (Polish) and the SMS text is PAY {unique sequence of ciphers and letters}. Each message cost 2 zl (0,5 Euro). We will discuss the SMS text later. Messages will be sent every 24 hours. All the data required for sending the expensive SMS is stored in the configuration file ‘setting.json’.

Vidro is also able to hide incoming SMS messages from specific numbers. We’ve seen already such functionality in Trojans like Foncy a Mania.

Besides sending expensive messages Vidro is able to:

  • Update the configuration file (which might contain a new premium rate number and SMS text) and update itself. For connecting to remote server the malware uses its own User-Agent string:“Mozilla/5.0 (Linux; U; {app_id}; {android_version}; de-ch; Vid4Droid) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30”.
  • Upload information about itself and the infected device to a remote server.

Content provider and affiliate network

If you google ‘72908’ (the premium rate number from Vidro) you can find a Polish forum which contains some complaints about this number.

208193736

Rough translation:

“How to remove ‘carmunity’ from 72908 number? Help me.”

“It’s probably some kind of virus, this SMS goes out from the phone, it’s better to disable it with your GSM provider, both outgoing and incoming.”

“I want to disable.”

Let’s take a deeper look at the malicious vid4droid.com domain. According to Robtex this domain is controlled by two name servers at carmunity.de; and the vid4droid.com mail server is handled at tecmedia.eu.

208193737

There is a number of hosts (like ‘sex-goes-mobile.biz’, ‘sexgoesmobile.biz’, ‘sexgoesmobil.com’ and similar) which share both name servers and mail servers with this domain. And if you visit one of these hosts you will be redirected to the web site sexgoesmobile.com.

Carmunity

Carmunity is a German content and service provider company, whose “portfolio offers an array of creative and technical solutions, enabling businesses to generate and apply their own portals in the mobile internet”. This quote was copied from the English version of their web site (carmunity.de).

208193739

Main page of Carmunity web site

Contact information contains the physical address of this company. According to this, Carmunity is located in Bremen, Mary-Astell-Str. 2. If you google this address you can find that another German company called Displayboy has the same physical address. What do we know about this organization? Well, here are some quotes from their web site displayboy.com (no German version, only English):

“Welcome to DisplayBoy – the leading provider for adult affiliate marketing in the mobile Internet.”

“Right now, between 5%-10% adult website users are surfing sites with mobile phones. With Displayboy you can convert your existing mobile traffic in a snap. It’s easy, simple and reliable.”

208193740

Do Carmunity and Displayboy have something in common? I think, yes 🙂 At least both companies are specialized in monetization of mobile traffic.

SexGoesMobile

As was mentioned above, some host names use the vid4droid.com domain name and mail servers. And if you try to visit one of them you’ll be redirected to sexgoesmobile.com. Here is a part of the main page of this web site:

208193741

Yes, it’s an affiliate network created for monetizing mobile adult traffic. And there are some curious things inside. Let’s see what’s going on there.

Many mobile affiliate networks (Russian ones at least) provide full access to various so-called ‘promotional tools’ to all participants. The SexGoesMobile affiliate network also offers various ‘promotional tools’. For example, you can create a mobile pay site using one of the existing templates:

208193742

Each template has its own domain name. And each affiliate who participates in SexGoesMobile has an ID. After choosing the template this affiliate is able to choose the target audience (‘mobile’ or ‘desktop’):

208193743

And finally an affiliate is able to generate a unique URL with his ID:

208193744

If the potential victim clicks on this unique link he will be redirected to the web site exgftube.mobi that contains fake video thumbnails. By clicking on one of this thumbnails the user will be redirected to the vid4droid.com web site where he will be invited to download vid4droid.apk file (Trojan-SMS.AndroidOS.Vidro). Do you remember the format of the SMS text in this malware? PAY {unique sequence of ciphers and letters}. This unique sequence of ciphers and letters will be generated on a remote malicious server based on the referrer (a unique URL with the ID of the affiliate). In other words, each affiliate ‘has’ his own SMS Trojan with unique SMS text.

Conclusion

The mobile malware industry and mobile malware services continue to evolve. A couple of years ago mobile affiliate networks were mostly Russian. Now we see that these affiliate networks appearing in other countries. Unfortunately, such networks have already become pretty effective and are an easy way to spread mobile malware and earn money illegally. And the ‘migration’ of affiliate networks will lead to new infections and huge money losses not only in Russia but in other countries as well.

‘Botnet’ sends out spam as malware spreads on Android phones: researcher

pt_948_6394_oMalware has been spreading on Android mobile phones that takes control of certain email accounts to create a “botnet” to send out spam, a security researcher says.

Microsoft security engineer Terry Zink says the malware has infected phones of users’ Yahoo email accounts to send out spam messages.

“We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices,” Zink said in a blog post on Tuesday.

“These devices log in to the user’s Yahoo Mail account and send spam.”

He said the phones appear to be located in Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine and Venezuela.

“I’ve written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace,” he said.

“But if you get it from some guy in a back alley on the internet, the odds go way up.”

He said users in the developed world “usually have better security practices and fewer malware infections than users in the developing world”.

“I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for,” Zink said.

“Either that or they acquired a rogue Yahoo Mail app.”

A report earlier this year by the security firm AV-Test found some Android downloaded malicious code after installation and said this is more common in the Google Android system than in the Apple ecosystem, which has stricter security policies.

Google has a security system known as Bouncer to scan for malware but some experts recommend additional protection for phones using the platform.

Source smh.com.au

Fake Skype app on Android is malware

ZDNet Wrote:

skypelogoA new piece of malware is trying to take advantage of Skype’s increasing popularity, especially on mobile devices. Cybercriminals have created a fake version of the Skype for Android app, designed to earn money from unsuspecting users. Trend Micro, which first discovered the malware, is calling this particular threat JAVA_SMSSEND.AB.

The Java in the name should not surprise you, given that Android apps are primarily developed in a custom version of the programming language. Thankfully, this is not a very good fake. The app in question only runs on older (pre Software Installation Script) Symbian phones or Android devices that allow execution of Java MIDlet.

The cybercriminals behind this scheme have set up fake websites advertising fake Skype apps. Most of the sites are hosted on Russian domains (.ru) but the fake apps themselves are hosted on Nigerien domains (.ne).

The reason this is not a good fake is that instead of an .apk file (the expected package file for Android apps), users are served up with a .jar (Java MIDlet). While the app poses as an installer for Skype, what it really does is install a piece of malware. The devil is in the details: in the background, the malicious app sends expensive international text messages to earn its creators revenue.

Android lets you download and install apps from anywhere. If you want the official version of an app, however, get it from the official Google Play store. Here is the official Skype link: play.google.com/store/apps/details?id=com.skype.raider.

Warning: Fake Biophilla app on Android is malware

Corss-posted from ZDNet: Summary: Cyber criminals have created a fake Biophilla app for Android that is really just malware in disguise. Your first red flag should be that Biophilla is officially available on iOS, but not on Android.

biophilla_fake_android

During April alone, we’ve already seen malicious versions of Angry Birds Space and Instagram in the wild. Both are Android apps that are really just malware designed to generate money from unsuspecting users by sending expensive international text messages. Now the same is happening with the popular Biophilla app.

Here’s the official description of the app:

Biophilia is an extraordinary and innovative multimedia exploration of music, nature and technology by the musician Björk. Comprising a suite of original music and interactive, educational artworks and musical artifacts, Biophilia is released as ten in-app experiences that are accessed as you fly through a three-dimensional galaxy that accompanies the album’s theme song Cosmogony. All of the album’s songs are available inside Biophilia as interactive experiences: Crystalline, Virus, Moon, Thunderbolt, Sacrifice, Mutual Core, Hollow, Solstice, and Dark Matter.

Björk recently invited hackers and pirates to port her app from iOS to other platforms, but somehow I don’t think Android malware is what she had in mind. Symantec identified the social engineering scam on third-party Android app download sites and described the malware as follows:

The app itself comes in two parts: the front-end, which has the ability to stream songs, and a background service with the name ‘Market’. Upon examination of the background service (designed to activate every time the phone starts) it appears to belong to the Android.Golddream family of threats. The authors of this family of threats are known to target third-party apps with malicious versions of popular apps, drawing revenue from premium SMS scams.

To reiterate, Biophilia is not available for Android. Some may have managed to port it illegally, but please beware that they may have included malware inside. If you want to get the official iOS version, get it from the official Apple App store. Here is the direct link: itunes.apple.com/app/bjork-biophilia/id434122935.

Android malware poses as Angry Birds Space game

angry-birds-170Android malware authors have seized an opportunity to infect unsuspecting smartphone users with the launch of the latest addition to the immensely popular “Angry Birds” series of games.

SophosLabs recently encountered malware-infected editions of the “Angry Birds Space” game which have been placed in unofficial Android app stores.

The Trojan horse, which Sophos detects as Andr/KongFu-L, appears to be a fully-functional version of the popular smartphone game, but uses the GingerBreak exploit to gain root access to the device, and install malicious code.

The Trojan communicates with a remote website in an attempt to download and install further malware onto the compromised Android smartphone.

android-screen

Interestingly, the malware hides its payload – in the form of two malicious ELF files – at the end of a JPG image file.

hidden-code

With the malware in place, cybercriminals can now send compromised Android devices instructions to download further code or push URLs to be displayed in the smartphone’s browser.

Effectively, your Android phone is now part of a botnet, under the control of malicious hackers.

It feels like we have to keep reminding Android users to be on their guard against malware risks, and to be very careful – especially when downloading applications from unofficial Android markets.

Instagram Sign-Up Page Now Beckons Android Users

android-instagram-275x171Mashable: The day when Android users will first lay hands on the red hot photo-sharing app Instagram just got even closer. Late Saturday, a sign-up page appeared on Instagram’s website, inviting all those of the Android persuasion to sign up to be notified when the app is first available for that OS.

The company still isn’t saying when the long-awaited Android Instagram app will actually become available. But now, at least those eager to try out the free app can take some sort of action that brings them closer to Instagram.

But what’s the big deal with Instagram, anyway? Why’s this so-far Apple-only app so heavily anticipated for the Android platform, even when there’s a plethora of Instagram alternatives already available? In my experience, it’s just plain fun. It’s almost like a game to try to create artistic photographs in this tiny medium, only available on one platform, in one size, and in one aspect ratio. There’s a huge horde of users already embracing Instagram, far exceeding the critical mass that would mark it as a social extravaganza. And it’s so easy and seamless to share with Twitter, Facebook and Tumblr.

Technically, Instagram is not exactly groundbreaking. Its filters are not as expansive nor capable as you can get in other apps, but Instagram levels the playing field for everyone, functioning as a great equalizer for photographers spanning the spectrum from top professional to the rankest of amateurs.

Perhaps another reason Instagram has that cachet is because of its Apple iOS exclusivity. Will the port to Android take away some of the appeal of Instagram? Certainly not for Android users, but perhaps it will cause some Apple aficionados to turn their noses up slightly more than usual.

New automated sandbox for Android malware

ISC Diary: One of the things that I’ve been working on lately is building an automated malware analysis environment to handle Android malware similar to the one I built for Windows malware.  I’m not quite there yet, but I was quite pleased to here about the new service being offered by the folks at Die Universität Erlangen-Nürnberg.  This is still a research project, so if you choose to use it, be understanding.  Don’t expect 24×7 uptime and let’s try not to DoS them.  That said, I’m looking forward to seeing how well it works and how the dynamic analysis will work once it is actually in production.

The Sandbox: http://www.mobile-sandbox.com/

Android smartphones infected via drive-by exploit

C_C_Android_hackAt the RSA Conference 2012, former McAfee executives George Kurtz and Dmitri Alperovitch have presented a Remote Access Tool (RAT) that infects Android smartphones (version 2.2). They used an as-yet unpatched bug in Android’s WebKit browser to inject the malware. The researchers say that they bought the vulnerability information, and a range of other tools, on the black market. The finished exploit is based on 20 components that apparently cost a total of $1,400 on the black market.

The infection is based on an SMS text message allegedly sent by the user’s service provider. The message contains the request to download an important update and provides a link to this alleged update. One click on the link is enough to infect the smartphone – which means that drive-by infections have now reached the smartphone world. The link downloads the malware and executes the loader; this crashes the device and installs the actual malware components while rebooting.

The demonstrated malware is based on Nickspy, a trojan that has been around for a while; the researchers bought this trojan and modified it. They also created a dedicated command and control infrastructure to control the devices. The experts estimate that the time they spent adapting and developing the necessary code was worth about $14,000.

Once installed, the trojan records phone conversations, activates the smartphone’s camera, reads dialled numbers, copies stored SMS messages and transmit the phone’s current location to the C&C server. The location is conveniently displayed in Google Maps, and the data can be read and transmitted by clicking on the infected phone’s symbol.

Kurtz pointed out that the exploited WebKit vulnerability can, in principle, also be used to install trojans on other operating systems that run this browser. When asked explicitly about iOS, Kurtz told The H’s associates at heise security that “Just like with Android, we would have to get code execution via the browser. Then we would need to escalate our privilege to root. This would allow us to bypass the app store for installation [as we did] with Android.” Kurtz didn’t state how much effort such an attack would involve.

At the end of their presentation, the researchers put the threat level that is created by their discovery into perspective, saying that spyware programs – even commercial spying tools – have existed for quite some time, and that drive-by infections will become part of the smartphone environment. However, “the sky is not falling, these are very targeted attacks”, said Kurtz.

Source: The H-Security