Yearly Archives: 2013

Featured

Mobile Security Checklist

By James Green ~ November 11th, 2013 7:09 PM MST

These days everyone has a smartphone or tablet; mobile devices are so integrated into our daily life we hardly even think of their inherent security or a privacy risks… that is until our device is lost, stolen, or broken. Suddenly, our lives come to a full stop. The precious information that we forgot to back up is gone forever, or our sensitive information is at the fingertips of a stranger. To make sure that you don’t experience the debilitating side effects of Lost-Phone Syndrome, or any other mobile device related syndromes, we have created the Mobile Security Checklist.

The idea is simple, if you take steps to backup and secure your mobile data you can prevent the panic if something ever happens to your device. The Mobile Security Checklist is a series of quick and easy changes that you can make to ensure that the information contained on your device is safe and secure in all situations.

Item #1: Secure Your Device with a Mobile Lock Screen

This is non-negotiable. Using a lock screen on your mobile device is the most basic form of mobile security and should be priority number one on all devices. You may not be James Bond but thieves and spies still want your device and the potentially valuable information it contains. Stop them in their tracks by preventing access to your mobile device to anyone who doesn’t know your secret mobile PIN number, pattern, or password.

Item #2: Don’t Download Apps You Don’t Know

Mobile malware has risen substantially in the past few years. Mobile malware uses social engineering to trick users so it is incredibly important to research all applications prior to download. To spot mobile malware always review permissions, research the developer, read user reviews and consider the download source prior to confirming the download.

Item#3: Back Up You Data

In addition to the threat of a lost or stolen device there is the threat of a puddle, or a sink, or any body of water large enough to swallow your mobile device. Mobile devices and water go together like Chinese food and chocolate pudding. By backing up the information from your mobile device to computer or online backup service you ensure that all of your photos, phone numbers, addresses, applications, etc is safe even if you turn your mobile device into an expensive paperweight.

Item #4: Think Before Posting Your Location on Social Media

Don’t recklessly flaunt your location on social media, doing so allows other individuals to track your movement and broadcasts to the world that “you are not home,” thus advertising that your house and its contents may be ripe for the picking. Many mobile devices have the option to disable geo-location entirely but doing so has its own drawbacks. Emergency services use geo-location to locate your device should you ever require assistance. The best way to be safe using geo-location is to think twice before you post your location on the internet, does the world really need to know your every movement?

Item #5: Set Up a Remote Wipe/Locate Application on Your Device

Should you ever find a sneaky thief has separated you from your device or that it has been lost, it is important to be able to locate the device and in extreme cases clear it of all of the information that it contains. There are a variety of free and paid applications available for all platforms that allow you to track the GPS location of your device via a web interface and, if necessary, wipe it clean of all the data it contains.

Item #6: Enable Automatic Updates

Updates to applications and your device operating system are often designed to patch newly discovered security vulnerabilities. Enabling the automatic update feature is an easy way to ensure that you mobile device will stay up-to-date with updates.

Item #7: Turn off Wi-Fi/BlueTooth When Not in Use

Free public Wi-Fi is a bad place to perform sensitive online tasks like online banking. There is a trove of applications that allow the least tech savvy users to sniff out login credentials over public Wi-Fi networks. There are other applications (often referred to as “Hack-Tools) that allow individuals to access your mobile device via Wi-Fi or Bluetooth connections. It is good practice to turn off Wi-Fi and Bluetooth when not in use and disable the auto connect feature.

Item #8: Readily Display Alternate Contact Information

To assist good Samaritans who have found your lost mobile device you should readily display alternate contact information. Some mobile platforms actually have a setting that allows you display contact information on the device lock screen. You can also take a picture of your contact information and set it as your lock screen wallpaper, or use the lo-tech option of a sticker on the back of the device.

Item #9: Download and Use an Anti-Virus Application

This isn’t available on all mobile platforms but it is important to use where available. Just like computers, mobile devices can become infected with malware. Using an Antivirus product will help you maintain a clean, malware free device.

[poll id=”3″][poll id=”4″]

[poll id=”7″][poll id=”5″]

[poll id=”6″]

 

 

 

 

 

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

Mobile Security Starts with a Lock Screen

By James Green ~ November 8th, 2013 11:38 PM MST

Have you ever come back from the bathroom to discover a friend posting an embarrassing status to your Facebook account from your phone? It happens… a lot! This is a lighthearted example of why everyone should protect their mobile device with a lock screen. These days’ mobile devices contain an incredible amount of sensitive data such as text messages, photos, emails and potentially credit card information. Using a secure form of screen lock is essential to protecting your sensitive information from unauthorized access, and thwarting your prankster friends.

There are several kinds of lock screen features available for mobile devices and they offer a varying level of protection. It is important to know the difference between a secure lock screen and weak lock screen. Along with protecting your information from unauthorized access a secure lock screen makes you device less desirable to thieves. A mobile device that can’t be unlocked is of no use to anyone but the individual who knows the secret to unlocking it.

To begin with let’s take a look at the types of lock screen features that are the most secure. Then we will discuss the other lock screen styles that do not provide any real level of protection and thus should be avoided.

SECURE STYLES OF LOCK SCREEN

FingergreasePattern Style Lock Screen –A Pattern style lock screen requires the user to play connect the dots to create a pattern, this pattern is previously set by the device owner. This form of lock screen is very common and can offer a high level of protection. Be sure to use a complex pattern, don’t use an easy to guess pattern like an ‘X’ or a ‘C’. An important note about pattern style lock screens is that finger grease on the device screen can give away your pattern. In the following picture you can see that finger grease can remain on the screen and allow others to easily pick up the device and guess the lock screen pattern. It is good practice to wipe your screen clean to prevent your pattern being cracked.

PIN Style Lock Screen – In the same way you use a PIN number to protect your bank account you can use a PIN number to protect your mobile device, but they should absolutely be different PIN numbers. This lock screen feature is fully capable of protecting your mobile device from unauthorized access. Choosing a strong PIN number is essential; in a study done by DataGenetics.com using a sample size of 3.4 million four digit PIN numbers (digits 0-9) it was discovered that 1.7 million PIN numbers use only 4% of the 10,000 possible combinations. The best PIN numbers to use are random and contain no numeric patterns, keypad patterns, and no references to years or dates.

Password Style Lock Screen – Using a strong password to protect your device is one of the best ways you can prevent unauthorized access to your sensitive, information and personal accounts. A strong password should include all of these features:

  • At least 10 characters long
  • Contain numbers, symbols and upper and lower case letters
  • Do NOT use words found in any dictionary, in any language (including names, and slang words)
  • Is not a word spelled backwards
  • Is different from your other passwords

For tips on how to create a nuclear strength password that you will always remember see our other blog post about creating strong passwords.

WHAT NOT TO USE:

These forms of lock screen (or lack thereof) do not protect your device and potentially allow unauthorized access to your device, sensitive information, and linked accounts. Armor for Android recommends that you do not use these forms of lock screen on your mobile device.

No Lock Screen– Obviously this provides no protection.

Slide Style Lock Screen– This only requires someone to slide their finger across the screen, no real protection is offered by this feature. We’re fairly confident some well trained animals may be able to crack this style of screen lock.

Face Unlock – This is actually a really interesting kind of lock screen but is not available on all devices and is unreliable. Face Unlock uses facial recognition software to match the user’s face to a predefined photo. The problem is that facial hair, glasses, makeup, lighting, etc can all cause this feature to malfunction. If the face unlock feature is set up poorly it will even recognize the wrong person. If the face unlock fails to recognize the user it will default to another style of screen lock. This screen lock feature just isn’t worth using long term, but is certainly fun to play with. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

Android Malware Distributed by Worlds Most Popular BitTorrent Client

By James Green ~ October 21st, 2013 11:46 PM MST

The world’s most popular BitTorrent client, Xunlei, recently discovered that employees had injected malicious code into the company’s software. It was found that Xunlei software was automatically downloading Windows and Android malware to devices. The employees responsible have since been exposed and released from their employment with the Chinese company. Reportedly, prior to the malicious code being discovered thousands of devices were infected.

The malware distributed by the Xunlei BitTorrent client was brought to light by security company ESET. Xunlei’s own legitimate security certificates were used to sign the Windows malware which was automatically installed on devices as a plug-in to Microsoft Office software. The malware appeared invisible to user and required no interaction during the installation.

If an Android device was attached to the infected Windows machine via USB, the BitTorrent malware  would then attempt to install Android applications. The BitTorrent malware was observed installing three different Chinese Android market applications and an application that advertises phone calls at a discounted rate.

APKs

Photo Credit: ESET

ESET security researcher Calvet said that “Overall, the motivation behind the installation of these particular mobile applications remains unknown.” While the applications installed did not appear to be inherently malicious, it is a significant concern that other Windows malware may be able to exploit a similar installation process to distribute other Android malware. Additionally, Calvet made a point to note “that [the applications] code is heavily obfuscated.”

To install these rogue applications, the attached Android device needed to have USB debugging enabled. This allowed the BitTorrent malware to use the Android Debug Bridge (a feature included in the Android software development kit) to silently install these applications without the user’s knowledge or consent. The USB debugging setting is used for development purposes but is also commonly used for other applications (e.g. screenshot applications, as noted by Calvet) and rooted devices running custom ROMs. Individuals with rooted devices find that their devices are at higher risk of malware infection through this avenue as well as many others.

Armor for Android detects these threats as Armor.Riskware.XunleiBit, the windows malware is detected as W32/Kankan. If any of these threats are detected on your Android or Windows device it is recommended to uninstall them immediately. The full analysis by ESET Security Researcher Joan Calvet can be found here. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

Celebrity malware awards

The 2013 Most Dangerous Celebrity Search Term Awards!

By James Green ~ October 11th, 2013 8:13 PM MST

In 2013, there were 10 celebrities who were more likely than any others to return links to malicious websites in online search results. When these celebrities’ names were included with search terms such as “free downloads,” “free app downloads,” “nude pictures,” or other search terms the results frequently included links to websites containing spyware, phishing scams, and even Trojans. More than any other stars this year these 10 celebrities are the riskiest to search online.

Lily_Collins_by_Gage_Skidmore

Riskiest celebrity to search for online: Lilly Collins

Here are the runners-up for the Riskiest Celebrity to Search Online (for lack of a better term) Award:

  1. Emma Roberts
  2. Adriana Lima
  3. Jon Hamm
  4. Britney Spears
  5. Katy Perry
  6. Zoe Salanda
  7. Kathy Griffin
  8. Sandra Bullock
  9. Avril Lavigne

And the Winner of the 2013 Riskiest Celebrity to Search Online (for lack of a better term) Award is…

  1. Lilly Collins

The Riskiest Celebrity to Search Online (for lack of a better term) Award is obviously not real, but it is a fun way to address a very real threat. Security firm McAfee conducts an annual survey on which celebrities are used by cyber criminals to lure unsuspecting victims to malicious websites. The results were recently released and there were many interesting things to take away from the research.

By far, women dominate the risky celebrity search results. The only male in the Top 10 was John Hamm who crept into at #8. According to McAfee only two other men (Justin Timberlake #12, Patrick Dempsey#13) made it into the top 20.

Also interesting to note is that none of the top 10 celebrities from last year’s study returned to the Top 10 in 2013. This means cyber criminals are working to stay current with popular trends, including celebrity trends, to ensure that their malicious websites continue to have popular content that users are searching for.

The best way to prevent a malware infection is to avoid these celebrity search terms and other dangerous online activity (adult content, pirated TV-shows, pirated movies, etc). But, if you must know about these celebrities lives, relationships, and break-ups keep these tips in mind to avoid malicious websites.

Avoid downloads – Free downloads are the most prolific way to distribute malware. Avoid downloading content (songs, videos, apps) from untrustworthy websites.

Be cautious when searching trending topics – Cyber criminals will exploit popular topics that people are searching for to drive more traffic to malicious websites.

Never provide log in credentials to access “exclusive” content – This is a common phishing scam that is designed to harvest your email and a password. Cybercriminals prey on users who share passwords across several accounts, providing this information opens you up to identity theft.

Keep software and apps up-to-date – Updates are designed to patch security vulnerabilities. Staying current with updates will lower your risk of malware infection.

Stick to trusted sources – For news, downloads, and anything else your heart desires try to stick with websites that have a positive online reputation. Keep in mind, no reputation can be as dangerous as a bad reputation.

Use an Anti-Virus application – There are so many threats in the Android landscape, use an Anti-Virus application to ensure that you do not fall victim to Android malware. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

Dangerfeature

PSA: Be Safe When Using Public Wi-Fi

By James Green ~ September 23rd, 2013 11:06 PM MST

Free Wifi1Public Wi-Fi is a great shared resource that allows numerous individuals to connect to the beloved World Wide Web. While sitting and sipping on coffee we can happily log in and check our emails or peruse our favorite online store and make a quick impulse buy. Public Wi-Fi provides entertainment while we are out and about in our daily lives.

From a different perspective, cyber-criminals see public Wi-Fi as a potential gold mine. Public Wi-Fi hotspots rarely have any security features and traffic that is being sent over these insecure network connections can be easily monitored. Sensitive information, such as usernames and password, sent over public Wi-Fi networks is at risk of being stolen and used without authorization. It is important to know how to use public Wi-Fi safely to protect yourself and your sensitive information.

If at all possible forego public Wi-Fi connections and use your mobile data plan. This is a more secure internet connection that cannot be easily monitored. However, if you need to use public Wi-Fi because you are approaching your mobile data plan limit or for another reason, be sure to keep these things in mind.

  1. Always verify the Wi-Fi network before connecting. If you are at a business that advertises free Wi-Fi ask an employee the name of their Wi-Fi network. It is becoming increasingly common for cyber-criminals to create free Wi-Fi hotspots in public areas in an attempt to lure unsuspecting victims into connecting. These victims are directly connecting to a malicious server that will monitor their activity and steal any information possible.
  2. Practice responsible web surfing while using public Wi-Fi.  Limit your web surfing over public Wi-Fi to informational websites. Avoid using websites that request sensitive information such as login credentials and credit card information. While it may be secure, trusted website the Wi-Fi connection is not secure. Any sensitive information sent over the Wi-Fi network can be intercepted and used to gain unauthorized access to your social media, email, or financial accounts.
  3.  Use different passwords for each of your accounts. It may seem overbearing but doing so prevents a widespread loss on multiple accounts if a single password is comprised. At Armor for Android we created a step by step tutorial on how to create a strong, unique password that is easy to remember by using a password formula.
  4. Use a secure connection. When surfing the internet via public Wi-Fi make sure you are using an HTTPS connection, not the standard HTTP. Better yet, many devices have the ability to use a VPN (Virtual Private Connection) which encrypts all information sent out over the network.
  5. Turn off Wi-Fi when not in use. This goes double for turning off the Wi-Fi auto connect feature of your device. This prevents your device from connecting to an insecure or even malicious Wi-Fi network without your knowledge.

Cyber-crime is becoming increasingly rampant; taking simple steps when using public Wi-Fi will help keep your sensitive information safe and secure. Being safe and responsible when using public Wi-Fi will help you avoid becoming a victim of cyber-crime. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

passwordfeature

Create a Strong, Memorable Password Using a Password Formula

By James Green ~ September 12th, 2013 5:23 PM MST

Dear reader, this is never an easy subject to broach, and receiving criticism can be tough so we will deliver it as gently as possible with a revolutionary management tool called the “Compliment Sandwich”. We will say something good about you, talk about where you need improvement, and end with something good. Here it goes… You’re a fantastic reader, your password is terrible, and you look really great in that shirt. Phew, I think that went well.

Joking aside, the likelihood that your password is about as strong as soggy noodle is quite high. It is equally likely that you are using one or two passwords across numerous accounts or still using the same password you created five years ago. These are what you call “bad password habits”. We are going to show you how to create a strong, unique password for each of your online accounts and give you the tools to easily remember all of your passwords.

Over the past several years many popular websites have been hacked and tens of millions of users’ passwords have been leaked. Using a single password across several accounts increases the risk of personal or financial loss should your login credentials be compromised in a data breach. At Armor for Android we conducted a companywide survey of who had been affected by data breaches. Participants were asked to visit PwnedList.com or ShouldIChangeMyPassword.com and enter all of their email addresses to see if any had ever been part of a data breach. We found that over 10% of participants had been victims of a data breach. For the individuals affected this was important knowledge that required immediate action. We encourage you to visit either website and check all of your own email addresses to see if your information has ever been part of a data breach. Let us know the results and participate in our Data Breach Survey.

[poll id=”1″][poll id=”2″]

If none of your email addresses have been affected by a data breach that’s great news! Let’s take steps to create a strong, unique password for all of your online accounts so in the future you are unlikely to experience personal or financial loss due to a data breach. If you do find that one of your email addresses has been compromised it is incredibly important to go to the compromised email address and change your password. Do this immediately, we will show you how to create a strong, unique password for your accounts.

HOW TO CREATE A STRONG PASSWORD

Creating a strong unique password is quick and easy with our password formula. It may appear complicated but don’t fear, we have broken the password formula down step by step and we will walk you through how to create your own. This is the password formula we will use to create our password.

PASSWORDBASE + COMPLEXCOMPONENT + UNIQUEID = STRONG PASSWORD

The PASSWORDBASE and the COMPLEXCOMPONENT will always remain the same to make your password easier to remember. The UNIQUEID is the only component of this formula that will change to create a unique password for each of your accounts. Feel free to change the order of these password components when creating your own password.

CREATING THE PASSWORD BASE:

The PASSWORDBASE is an acronym created using a group of memorable information. This acronym should be at least six characters long and contain an uppercase letter, a lower case letter, a symbol and a number.

You can choose any group of information that is easy to remember such as the first name of each of your immediate family members, the lyrics to your favorite song, or the cast of your favorite movie. We will create an example password using family members from the TV show Family Guy, we encourage you to follow allow and create your own password with your own information.

  • Peter
  • Louis
  • Chris
  • Meg
  • Stewie

We have ordered the family members by age and created an acronym using the first letter of each name to create “PLCMS”. To increase complexity we include the number of children and create “PL#3CMS”. And finally, to incorporate both upper and lower case letters we have only capitalized the parents’ initials and the children’s initials will be lowercase, giving us “PL#3cms”. Very quickly we have created an easy to remember, strong PASSWORDBASE.

ADDING A COMPLEX COMPONENT:

Since the PASSWORDBASE will frequently contain mostly letters, the COMPLEXCOMPONENT should be numbers and symbols. Use information that you can remember easily to create a COMPLEXCOMPONENT at least three characters long. Here are a few examples:

  • Favorite player on your favorite sports team: #12
  • How old you were when you married: @30
  • A reminder to start your savings account: ^$!
  • Love: <3!
  • Heartbreak: </3
  • High five: 0/\0
  • Shark attack: _/\_\0/_
  • Shark attacking a cheerleader: _/\_*\0/*_

It’s surprisingly easy to create a COMPLEXCOMPONENT with three (or more) numbers and symbols that is easy to remember. Because we love Family Guy we used ‘<3!’ in our password, but it was hard to pass on the shark attacking a cheerleader.

CREATING A UNIQUE ID:

The UNIQUEID is the only component of the password that will change and should be also be at least three characters. This component is a set of two rules that you can apply to the name of the website (i.e. Google, Facebook, Twitter, etc) to quickly determine your UNIQUEID.

1.) SELECTION RULE – this is used to determine which letters will be included from the name of the website name.

Example: “the first and last pair of letters of the website name”

  • Google = gole
  • Facebook = faok
  • Twitter = twer

2.) ENCRYPTION RULE – this rule is used to encrypt these letters so that the pattern is not obvious in the event an individual password is ever compromised.

Example: “move up one letter in the alphabet for each letter”

  • gole = hpmf
  • faok = gbpl
  • twer = uxfs

GO CHANGE YOUR PASSWORDS!

Using the our password formula we have created the following complex password, that is easy to remember and can be customized for each online account.

PASSWORDBASE + COMPLEXCOMPONENT + UNIQUEID = STRONG PASSWORD

PL#3cms + <3! + hmpf = P L#3cms<3!hmpf

The time has come to employ the techniques you have learned and go change your passwords! Dream up your own password base and find a complex component to include. Then develop your own super secret unique id rules. Using this password formula you will be able to create AND remember strong, unique passwords and protect your sensitive information online. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

SSOLink

Armor for Android Teams up with STOP.THINK.CONNECT

By James Green ~ September 4th, 2013 10:49 PM MST

AFA_Mobile_Malware_Infographic

Armor for Android has joined the STOP.THINK.CONNECT initiative! The STOP.THINK.CONNECT initiative is designed to increase awareness of cybersecurity, promote online safety strategies, and engage the nation in a cybersecutiry conversation. The initiative has been pioneered by StaySafeOnline.org whose mission is to educate and empower users to be safe and responsible online.

Through close collaboration, Armor for Android and the STOP.THINK.CONNECT initiative have produced an info-graphic detailing the threat of Android malware in 2013. It was determined that the Android platform has been the favorite target of mobile malware authors for several years. In addition to malware targeting the most popular mobile operating system, malware also targets the most popular versions of the Android OS. To avoid being the target of Android malware users are encouraged to stay up-to-date with the most current versions of the Android OS.

Together, Armor for Android and STOP.THINK.CONNECT determined the most prominent threats to Android users in 2013 are premium service fraud Trojans. This form of malware is designed to defraud and steal money by sending unauthorized SMS messages to premium rate SMS services or by connecting to premium rate telephone numbers without the device owner’s knowledge. The charges for these illicit activities are reflected in user’s mobile phone bill and often go unnoticed until it is too late and the unauthorized charges have been paid in full.

To read more about the results of the collaboration info-graphic visit the STOP.THINK.CONNECT blog article at StaySafeOnline.org! To stay update to date on the Android Malware landscape follow us on Twitter at @ArmorForAndroid and follow StaySafeOnline.org at @StaySafeOnline! ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

bond android bond2

Never Say Never with Google Play Password Protection

By James Green ~ Agust 15th, 2013 10:18 PM MST

In-app purchases on the apple platform have resulted in some users receiving bills of up to $3000 dollars. This is equally possible on the Android platform but Google has made an effort to prevent enormous unwanted bills by requiring password confirmation to complete an in-app purchase. However, there is an option to bypass password confirmation during the in-app purchase process and we are here to plead with you to never select “Never Ask Me Again.”

disclaimerTo be fair, we don’t want to paint in-app purchases in a bad light. In-app purchases are a great way for app developers to monetize their apps so they can continue to provide free Android applications. In-app purchases are used by consumers to purchase items or cheats that help them beat games and are commonly used to purchase virtual currency to be spent with in the application for any number of uses. Beyond the “Never Ask Me Again” password option we have absolutely no problem with the in-app purchase process.

In-app purchases are charged directly to the method of payment attached to the user’s Google account, generally charges are applied to either a credit card or to the mobile phone bill. The final stage of an in-app purchase will prompt users to enter their Google account password to confirm the purchase, on this screen there is also an option to “Never Ask Me Again.” You might be confused and think that this is similar to a “remember password” feature that will auto fill your password in the future, it is not. Enabling the “Never Ask Me Again” feature will completely forego the password confirmation screen in the future. This feature is also not application specific and once enabled will affect in-app purchases across all applications.

As you can see from the screen shot to the right (click the image to enlarge) even Google seems to have a very “proceed at your own risk” attitude about this password option. If you select the “Never Ask Me Again” option Google will display a short disclaimer that states using this option “may result in unauthorized purchases.”

The “Never Ask Me Again” option simply makes the in-app purchase process too easy; if you choose to enable this option you are likely to encounter unauthorized charges. Whether or not you are a parent, chances are good that you’ve given your smartphone or tablet to a child to keep them entertained. Click-happy children can very easily make in-app purchases if you opt to bypass password confirmation by using the “Never Ask Me Again” option. Equally likely is that you make a pocket purchase with this option enabled. Below are screen shots of the entire purchase process from opening the application to completed purchase. Each red box represents a click on the device screen.

Purchase1 Purchase2 Purchase3 Purchase4 Purchase5

 

From start to finish the purchase process took only four clicks. This example fails to highlight users who are already in a game and put their phone in their pocket. With a game open your device can be as few as two clicks away from making an unauthorized in-app purchase in your pocket. For demonstration purposes we purchased an item that was only $4.99 but applications commonly offer in-app purchases in multiple denominations from $0.99, $9.99, $19.99 all the way up to $99.

What’s more, these in-app purchases are not protected by the same 15 minute refund policy as purchases of applications made on Google Play. All refunds for in-app purchases are entirely at the discretion of the application developer. To get a feel for how developers handle refund requests for in-app purchases we did some research on popular Android developer’s websites and reached out to their customer support departments for further clarification.

INVESTIGATING IN-APP REFUND POLICIES

We contacted these well known Android app development companies that utilized in-app purchasing; below is the rundown of each companies support capabilities and refund policies. Not all of the companies we reached out to responded. The level of customer support and the refund policies for in-app purchases varied from company to company. In our experience it is in your best interests to take steps to prevent unauthorized in-app purchases (perhaps by using the default password confirmation option…) rather than chasing down refunds.

Com2Us – The Terms of Use are readily available within applications and on the developer’s website but the terms don’t have a particularly helpful stance about the refund policy for in-app purchases. We made contact with the customer support department for further clarification. Two contact email addresses were conveniently located in the applications and the website has an email form to submit a support ticket. We opened a ticket and requested information about the Com2Us refund policy for in-app purchases and received the following response within 24 hours.

“We can only help refund the charges if the purchases were not used within the game. If they were used, then unfortunately we are unable to refund the charge.”

We were still concerned that a child could make an in-app purchase and use the item purchased and the bill payer would still be responsible for this purchase. We asked the support representative if a refund could be processed under these circumstances and their response was that they could not refund any purchases that have been used in the application regardless of the age of the individual who used the item. Overall this refund policy for in-app purchases seems pretty fair.

Disney – The Terms of Use are pretty easy to find within the games published by Disney on Google Play. Unfortunately, these terms make zero mention of in-app purchases. Disney’s interactive studios support website is basically a searchable database of answers to frequently asked questions (FAQs). We were unable to locate a support phone number but there was an email submission form and a “Live Chat” option available. Unfortunately, I doubt the live chat feature will ever be any use to anyone as these are the live chat hours of availability published on the website.

  • Monday – Wednesday:  Closed
  • Thursday:  10:00 AM – 11:00 AM PDT
  • Friday – Sunday:  Closed

One hour a week… no exaggeration. To use the email submission form you are required to set up an online account with Disney (a valid e-mail address is required). Using the email submission form we submitted a request for information regarding the refund policy for in-app purchases. After several days we have yet to receive a response for our question.

Gameloft – We were unable to find the Terms and Conditions within Gameloft applications but they were readily available on the developer’s website. The terms have an entire section dedicated to in-app purchases of virtual items and the company’s stance on refunds for these purchases is as follows:

“No refunds will be given, except in our sole and absolute discretion.”

So it seems the company does not intend to issue refunds for in-app purchase but they do leave the door open for special cases. We contacted customer support to determine if accidental in-app purchases or purchases made by a minor without permission could be refunded. The response we received was that refunds would be considered for each individual situation. This response echoes the terms of service, refunds appear to be possible although they do not elaborate in which circumstances refunds would be approved.

GSN – The Terms of Service for GSN are readily available within their applications. However, the TOS made no mention of the in-app purchase refund policy. This is because there is a separate terms & conditions for token purchases, we were unable to locate the token terms within the application but we were able to easily find these terms on the developer’s website. The Token Program Terms & Conditions stated the following with regards to refunds:

“Tokens are non-refundable and you are not entitled to a refund for unused Tokens…”

We were curious if there was any circumstance in which a refund would be approved and we attempted to reach out the GSN customer support department. The support section of the GSN website is largely a source of answers to FAQs. The support section also contains a link where users are able to open a support ticket to get a human response to questions. The contact form states that there will be a 1-2 business day response time, we opened a support ticket requesting clarification on the refund policy for in-app purchases and the response took the full two days. The original response we received from customer support attempted to direct us to Google for a refund, we pointed out that refunds for in-app purchases were the responsibility of the developer and asked for clarification of their in-app refund policy. We have yet to receive a relevant response.

King – Within applications produced by King we were unable to locate any Terms and Conditions. However, when visiting the developer’s website (King.com) the Terms and Conditions were easily located. The terms did not carry a specific reference to in-app purchases but the following extract from the terms does suggest that King does not intend to issue any refunds.

“As a result you will not have the right to cancel these Terms or to any refund of monies you pay…”

For further clarification we attempted to reach out to the King customer service department which was not a particularly easy task. The developer’s website (King.com) has an extensive FAQ section that users are directed to for support. We did find an email submission form but no phone number to contact. The response we received from the email form directed us to contact other departments. We proceeded to contact each department and request a refund or an outline of the refund policy for in-app purchases. After several days of back and forth we did finally receive an email requesting the following information:

  • Purchase ID / order number
  • Reason for the refund request
  • Email address

We replied to the customer service email with the requested information. The response from customer support declined our request for a refund. Here is a snippet from the response we received.

“It’s the owner of the phone’s responsibility to make sure unauthorised purchases aren’t made.

Unfortunately, we only give refunds on the damaged items or items that were not received due to technical issues from our side”

PikPok – The Terms of Service are available on this developer’s website and are linked within the application. The developer’s website also lists contact phone numbers, a postal address and several contact emails. When we contacted the PikPok support department via email we received an immediate response. The representative we communicated with portrayed the refund policy in this way:

“we are happy to refund accidental purchases”

Just to be sure, we asked if purchases made by minors could also be refunded. The company’s representative was happy to confirm that they could and added they regularly process refunds of that type. PikPok was hands down the easiest company to contact and had great customer service, other companies failed to provide a similar experience. The customer service representative added a little piece of advice that we wholeheartedly agree with and would like to pass on.

 “always password protect purchasing on your device before handing it to a child.”

Zynga – Within Zynga applications the full Terms of Service are easily found from the main menu. Conveniently, Zynga includes a customer service button within the application that provides a direct link to the customer service email form, more on that in a moment. The TOS seem to have a pretty clear stance on refunds for in-app purchases; the following is an excerpt from the TOS found within the application:

 “PURCHASES OR REDEMPTIONS OF THIRD PARTY VIRTUAL CURRENCY TO ACQUIRE A LICENSE TO USE VIRTUAL ITEMS ARE NON-REFUNDABLE”

While the stance on in-app refunds seems quite clear we proceeded to reach out to the customer service department as well. We clicked the in-app customer support button and filled out the email form requesting information on the refund policy for in-app purchases.We quickly received an auto-response email and the human response took only a few more hours. After a little back and forth with the customer service department and we never received a straight answer on the refund policy. We were instead pointed to a page where we found the Terms of Purchase, the Terms of Purchase offered this with regard to refunds.

“No refunds will be given, except in our sole and absolute discretion.”

The support website was not particularly easy to navigate but we were able to locate a customer service phone number and it appears Zynga also provide support through Twitter and Facebook. We contacted Zynga through both social media outlets but we have yet to receive a response on either platform. We placed a call to the billing department support number and we were told that we could request a refund, to do so we would need to email the billing department for the specific application. More emails, the customer service loop continues.

CONCLUSION: PASSWORD PROTECTION > REFUND REQUESTS

Some developers (PikPok and Com2Us) were great about quickly responding to our requests and had consumer minded refund policies for unauthorized purchases. Unfortunately these developers seem to be the exception and not the rule. The majority of developers we contacted were often slow to respond, avoided responding to specific questions or completely ignored our requests all together. Contacting the relevant refund department felt like a run-around and while refunds for unauthorized purchases seemed possible, persistence and patience were required.

Overall the process of contacting developers and getting information about the refund process for in-app purchases was frustrating. When push comes to shove, using password protection for in-app purchases is clearly the smarter option. There is simply no good reason to forego the password confirmation requirement for in-app purchases. The hassle of potentially lost money far exceeds the hassle of entering your password each time.

If you have disabled password protection for in-app purchases on your device it can be undone. The process to enable password protection for in-app purchases is relatively quick and simple but it does require two things. Firstly you will need to have your Android device in hand, and you will need to have internet connectivity. Then simply follow the steps outlined below.

To Disable the “Never Ask Me Again” password option for In-App Purchases

1.) Open the Google Play application on your device

devicehomescreen

2.) Launch the Google Play main menu

GPhomescreen

3.) Select “Settings” from the menu

 GPMainMenu

4.) Scroll down to the “User Controls” section and check the box next to “Password”

GPSettings2

5.) Enter your Google account password to confirm changes

Enter Password

Now the box next “Password” will be filled with a check mark and all in-app purchases will require password confirmation

GPSettings

If you have not updated your Google Play application recently the process to secure your device will be a little different. To enable Pin Protection on in-app purchases follow these instructions:

  1. Launch the Google Play application
  2. Open the Main Menu
  3. Select “Settings”
  4. Scroll down to the User Controls section and select “Set or Change PIN”
  5. Choose a strong PIN number, then re-enter the PIN when prompted
  6. Check the box to “Use PIN for Purchases”

Future in-app purchases will require PIN authentication to confirm the purchase. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featuredimage2

The Rise of Android Malware: 2008 – 2013

By James Green ~ August 2nd, 2013 11:30 PM MST

From humble beginnings Android malware has become an industry unto itself; it is more malicious, more complex, and more common than ever before. This article will attempt to deliver a “brief” history of malware on the Android platform. Discussed herein are the major developments and out breaks of Android malware. There is a lot of information to cover and by no means is this timeline all inclusive. Most of the threats that are discussed in this article are still active in 2013. If you are using Armor for Android or another trusted antivirus application your device is protected.

In 2008 and 2009, back in the infancy of the Android platform, Android represented no more that 4% of the smartphone market. Users were justifiably under-concerned about a malware infection on their Android devices as the threat was simply not that significant. This isn’t to say that the platform was devoid of malware, Android malware did exist. But cyber criminals are motivated by money and at the time the Android platform was not popular enough to represent significant financial gains. Over the course of 2010 things began to change. Android began to gain popularity and by the end of the 2011 smartphones running on the Android operating system represented 46% of the total smartphone market. In 2011 Bloomberg estimated that the smartphone industry was worth 219 billion dollars and by the third quarter of 2012 the number of smart phone users surpassed 1 billion worldwide. In 2013 Android devices represent nearly 75% of the booming smartphone market. Cyber criminals have taken notice of Android and now 90% of mobile malware targets the Android platform.

(Quick note: In March of 2012 Google decided to rename their Android app store from ‘Android Market’ to ‘Google Play’. Simply for the sake of continuity this article refers to it as Google Play throughout. Any reference to an Android market infers an unofficial android market.)

2008 – 2009

Even before the official release of the first Android smartphone in October 2008 there was already Android malware. A group from the University of Electronic Science and Technology in China (UESTC) created malware that was capable of controlling some device activities and stealing information from the device. Reportedly this malware was intended as a proof-of-concept and not intended to perform any malicious attacks against users. Not a lot of information is available about what steps Google took to patch the security vulnerabilities exposed by this malware. No operating system is flawless and in time other vulnerabilities would be discovered and exploited.

MobileSpy – In November 2009 the first spyware for the Android platform was released by Retina-X Studios. MobileSpy is a spyware application full of privacy invading features including the ability to remotely monitor incoming and outgoing text messages, phone calls, emails, web history, photos, videos, GPS location and more. All someone had to do was install the MobileSpy application on the target device and they could monitor the device completely via a web interface. Exploiting the privacy of another individual for profit, not a bad start Android malware but I have a feeling you can do worse… much worse.

Droid09 – In late December that same year unauthorized banking applications were discovered on Google Play. Published by a fake developer named DROID09, these applications are believed to be the first example of an Android phishing scam. The malware was advertised as paid Android banking applications for several different real banks; once the victim entered their log in information the malware would simply open the device browser to the banks online webpage. This malware was not complex and was mainly a social engineering threat.

2010

2008 and 2009 were slow years on the Android malware front. Remember, during these years Android itself was not a particularly popular mobile platform yet. As the platform continued to grow the malware industry would also. From 2008/09 to 2010 the amount of malware on the Android platform more than doubled from about 1,400 unique samples to 3,200 unique samples.

In 2010 Android malware authors found their ‘pièce de résistance’, premium service fraud. Premium service fraud was not a new concept and had been occurring for many years prior to 2010. But, the adoption of the concept and the delivery method were revolutionary in terms of Android malware. Even today, the model below serves as the foundation for some of the most common forms of Android malware.

  • The malware author registers a premium rate phone number or short code (short codes are used as phone numbers for premium rate SMS services).
  • The malware author then creates an SMS Trojan or Dialer Trojan application and publishes the malware on an Android market to be downloaded by consumers.
  • Once the application is installed on a victim’s device it will silently send SMS messages or make phone calls to the malware author’s premium rate number or short code.

FakePlayer The first SMS Trojan was discovered by Kaspersky labs in August 2010 and was dubbed FakePlayer. This application was advertised as a media playing application, but unbeknownst to the user FakePlayer would also send out SMS messages from the device to premium SMS services. These messages would incur additional charges of approximately $5 each on the victim’s mobile phone bill. The device would then also receive mandatory response messages from each premium SMS service. To avoid arousing suspicion and bombarding the device with premium SMS response messages the FakePlayer Trojan was designed to only commit this fraudulent activity when the application was launched for the first time. In time SMS Trojans would develop other methods to compensate for premium SMS response messages.

Fake Angry Birds – In November 2010 security researcher Jon Oberheide spent some time trolling Google to expose a security vulnerability in Google Play’s installation process. Oberheide essentially created one of the first Trojan Downloader applications and successfully published the Trojan to Google Play. Oberheide created a fake Angry Birds application capable of imitating the install request sent from the Google Play app to Google Play’s servers. By imitating the installation request the application was capable of tricking Google’s servers into installing additional applications on the device without any user interactions. The fake Angry Birds application successfully downloaded and installed inactive malware from Google Play; this malware was fully capable of tracking the device location, committing premium service fraud, or stealing device information. Thankfully Oberheide fights the good fight and this experiment was strictly proof-of-concept to get Google’s attention and improve Google Play’s security. If you’re interested, Oberheide makes for an entertaining read and the full analysis of his experiment is available here.

Geinimi – Discovered by Lookout in late 2010 Geinimi was two things; unquestionably the most sophisticated Android malware discovered at the time and perhaps the first example of a mobile botnet. The author of Geinimi packaged the malicious code to a large number of previously legitimate applications to trick consumers into installing the Trojan on their devices. Once installed, the Trojan harvested a significant amount of data from the infected device and forwarded this stolen data to a remote server. This Trojan had the capability to communicate with a remote server and receive commands. Geinimi was capable of executing over 20 commands including stealing further information from the device, committing premium service fraud, or even downloading additional malware and prompting the user to install the malware. However, researchers were never able to actively observe commands being sent from the server to the Trojan.

2011

Over the course of 2010 we witnessed Android malware move from spyware and remedial phishing scams to premium service fraud, Trojan downloaders and even possible botnet malware. The Android platform was becoming more popular and cyber criminals began to recognize an opportunity for significant financial gains. According to research firm Gartner Android sold 67 million devices worldwide in 2010; in 2011 Android would sell more than 220 million devices. Malware developers would invest even more effort into creating malware for Android devices and the investment paid off. In 2011 Android malware experienced a meteoric rise. Over the course of 2010 a total of 3,200 unique Android malware samples were discovered, 2011 laughs at 2010.  The year of 2011 brought 36,000 new Android malware samples, roughly an increase of 1200%.

ADRD (HongTouTou)In February 2011 a ClickFraud Trojan was discovered called ADRD, also known by the (much more fun to say) name ‘HongTouTou’. Like the Geinimi Trojan the malicious code of ADRD was packaged to a large number of previously legitimate applications and republished by the malware author. The ADRD Trojan would collect information from the device and contact a remote server; the remote server would return an encrypted list of keywords. ADRD would decrypt the keywords and perform a search of each keyword on a well known Chinese search engine called Baidu. ADRD would then click on a specific link that was returned in the Baidu search results to increase the search engine ranking of that specific web site. ADRD was interesting in that it did not commit any inherently malicious acts towards the device or the device user. However it may still have resulted in additional charges to the victim’s mobile phone bill due to data overages.

DroidDreamIn March 2011 the discovery of DroidDream hit the Android community so hard that reportedly several Google executives required haircuts when they woke up (we jest). The shock over DroidDream was threefold. First, over 50 DroidDream Trojan applications had made their way onto Google Play. Second, DroidDream applications had been downloaded an estimated 200,000 times combined. And finally, DroidDream was (and still is) capable of rooting infected device and gaining administrator privileges without the user’s knowledge.

When DroidDream is installed on a device it harvests device information and forwards the stolen information to a remote Command and Control (C&C) server. Then the rooting begins. DroidDream is packaged with two well known rooting exploits RageAgainstTheCage and Exploid. These exploits, on their own, are not malicious and can provide users with root privileges for Android OS versions 2.2 and earlier. But when these exploits were packaged in a Trojan application and used to silently root a device without the users knowledge they become incredibly dangerous. If DroidDream is successful at rooting the infected device it gains administrator privileges on the device and is capable of performing any function without the user’s knowledge. Effectively, the malware author for DroidDream had complete control of infected devices through the C&C server.

Google scrambled to repair the damage. The DroidDream applications were removed from Google Play post-haste and Google remotely removed the DroidDream applications from infected devices. Google also pushed an update to victims’ devices that contained an application called “Android Market Security Tool March 2011” that reversed the effects of the exploits (un-rooted the devices if you will). While the blame for the lack of security on Google Play lies squarely on the shoulders of Google they do deserve an honorable mention for the way they handled the situation.

march22 ColbertDenofowSometimes pranksters put a pretty significant amount of effort in to executing a prank. Such efforts lead to the Denofow Trojan which was discovered in May 2011. Denofow is a trojanaized version of an application that already teeters on the borders of good taste called “The Holy F***ing Bible.” The Trojan application waited for the date of May 21st 2011 to execute its malicious payload. On that date, the Denofow Trojan sent SMS messages containing one of the following messages to each of the device contacts.

  • “Cannot talk right now, the world is about to end”
  • “Es el fin del mundo”
  • “Its the Raptures,praise Jebus”
  • “Jebus is way over due for a come back”
  • “Just saw the four horsemen of the apocalypse and man did they have the worst case of road rage”
  • “Prepare to meet thy maker, make sure to hedge your bet just in case the Muslims were right”

On May 21st 2011 Denofow Trojan also changed the wallpaper of infected devices to an image of a popular American TV show host Steven Colbert. Then on May 22nd 2011 the Denofow Trojan repeated the malicious activity, changing the device wallpaper to a new image and sending a new SMS message to all the device contacts with the following text.

  • “Looks like Jebus is a no show, maybe Judaism was on to something”

Fortunately Denofow did not steal any information or root the device and no financial loss was experienced as a direct result of the Trojan. Essentially the Denofow Trojan was a prank albeit in poor taste. Now back to the serious stuff.

DroidKungFu – Lead by Xuxian Jiang, the hard working research team at NC State University discovered DroidKungFu in June 2011. Like DroidDream, this rooting Trojan also contains two well known rooting exploits (RageAgainsttheCage and Exploid). DroidKungFu is capable of rooting Android devices running on Android OS versions 2.2 and earlier, if the device is successfully rooted the Trojan is able to execute any device activity without the device user’s knowledge. DroidKungFu will install an application called ‘legacy’ that disguises itself as the Google Search application, misspelled as “Google SSerach.”  This application connects to a remote command and control (C&C) server to receive further instruction. The malware author is able to instruct the Trojan to perform any activity on the device without the user’s knowledge. The DroidKungFu rooting Trojan effectively converted the infected device into a bot controlled by the malware author.

GingerMaster This one is a little tough to follow because the individuals responsible for naming the components related to this threat had an affinity for the word ‘ginger’. Let me explain:

  • In February 2011 Google released GingerBread (with a ‘D’).  GingerBread was the newest Android OS version at the time and included new features and patched old security vulnerabilities (like the vulnerabilities exploited by DroidDream and DroidKungFu).
  • Never content with the stock Android operating systems, three months later the Android community released GingerBreak (with a ‘K’). GingerBreak was a rooting exploit which rooted device and allowed developers administrator access to their device to develop and test custom ROM’s, themes, etc.
  • In August 2011GingerMaster was discovered. This was a Trojan containing the new GingerBreak (with a ‘K’) rooting exploit. This Trojan was capable of rooting devices running on the newest Android OS version, GingerBread (with a ‘D’).

We can thank Xuxian Jiang and his crack team at NC State for not naming this rooting Trojan GingerB-anything! GingerMaster would root the infected device if possible and then harvest device specific information and contact a remote C&C server. The Trojan would download additional malware to the device and, using the administrator privileges gained by rooting the device, install the malware without the devices user’s knowledge. All Android threats capable of installing further malware are extremely dangerous as the additional malware installed can have an endless list of malicious capabilities. To recap, GingerMaster uses GignerBreak to root devices running on GingerBread and install additional malware. It’s straightforward stuff.

2012

With the development of Android rooting Trojans in 2011 android malware stopped playing checkers and started playing chess. Android devices now represented 66% of the entire smartphone market and showed no signs of regressing. By this point malware authors were fully aware of the finical opportunities that Android represented. Mobile malware had started to forget about other mobile platforms and 90% of mobile malware was now written for Android devices. In 2012 Trojans reached an all time high with 70% of Android malware falling into the category. Malware continued it’s onslaught on the Android platform and over the year more than 210,000 new unique malware samples were discovered. Researchers now lived under a seemingly endless pile of malware samples to analyze; the need for antivirus protection for Android users had previously never been greater.

RootSmartAs Google worked to patch old security vulnerabilities malware authors worked to find and exploit new ones. To help keep Android malware out of Google Play a security feature called Google Bouncer was introduced in February 2012. Google Bouncer scans applications for malware signatures (like rooting exploits) before the application is published on Google Play. If the application contains anything malicious it is not published and the developers account may be suspended. The same month that Google Bouncer was introduced Xuxian Jiang and his team at NC State discovered the RootSmart Trojan.

RootSmart outsmarted the Android security model once again and was published to Google Play. Unlike its predecessors this rooting Trojan did not contain any rooting exploits. Instead, once the RootSmart Trojan was installed on a device it would contact a remote C&C server and download the GingerBreak rooting exploit. Using the GingerBreak rooting exploit RootSmart would attempt to root the device to gain administrator privileges. Then the Trojan would contact a remote server to download and install additional malware on the device without the user’s knowledge. An interesting note about RootSmart is that if it was unsuccessful at rooting the device it would still contact the remote C&C server to download additional malware and simply prompt the user to install.

Cawitt – Developers are understandably not big fans of pirated applications that deny them the opportunity to earn money for their efforts. Unfortunately, some very confused rogue developers have decided to partake in pirating applications to teach users a lesson which lead to the discovery of the Cawitt Trojan in June 2012. Cawitt is a trojanized version of a popular third party Twitter application called Tweetbot. The Cawitt Trojan steals a variety of sensitive device information and forwards it to a remote C&C server. The C&C server can then instruct the Trojan to perform two malicious functions. Firstly the Cawitt Trojan can be instructed to send SMS messages to subscribe the device to premium SMS services which will incur additional charges to the victim’s mobile phone bill. Premium service fraud is old hat by this point in Android malware but next the Cawitt Trojans makes sure to publicly shame the individual using the pirated application. Using the victim’s twitter account the Cawitt Trojan will compose the following message and post the message to the victim’s twitter feed.

”I’ve been demoing a pirated copy of @tweetbot and really like it so I’m going to buy a copy!”

Doing a quick search on twitter with the above text we can see that a large number of users were affected by this Trojan. The developers certainly seem to think that their end justifies their means; I would argue it takes questionable morals to make that assumption.

cawitt

Vidro – Discovered by Kaspersky labs in August 2012, the Vidro Trojan was not the first of its kind nor was it part of a substantial outbreak but it is the poster child for modern SMS Trojans. As the poster child Vidro allows us to discuss some commonalities that are seen across the SMS Trojan family. To begin with Vidro is advertised as an adult video playing application. Adult content related applications simply have a higher ratio of SMS Trojans than other categories. There are certainly plenty of other categories such as games and utilities but adult content seems to be a more prominent target of malware authors.

Vidro, like many other SMS Trojans, requires users to agree to a ‘terms of service’ to use the application. Often the terms for SMS Trojan applications are misleading and bury the information regarding the premium SMS subscription deep in the lengthy terms of service. In the case of Vidro, the terms of service are nonexistent and cannot be viewed online or in the application. Many SMS Trojans, including Vidro, rely on user’s blindly agreeing to ‘terms of service’ as a way to appear more legitimate should the malware authors ever face legal action. Once the user accepts the fake terms the Trojan will send an SMS message(s) to subscribe the device to premium SMS service that incur additional charges to the victim’s mobile phone bill (Vidro actually performs this malicious activity daily).

Finally, SMS Trojans have always had to deal with response messages sent back to subscribed devices from the premium SMS service. Network operators often require premium SMS services to send an SMS message back to the device with information about all charges. Failure to send this response SMS message may result in the network operator withholding funds from the premium service owner, so even malware authors are obliged to comply. Obviously the malware author would prefer that the user of the device not receive an SMS message alerting them to these unauthorized charges. For this reason Vidro, and most other modern SMS Trojans, has a broadcast receiver that will monitor all incoming SMS messages on the device looking for messages sent from the premium SMS service number. If a response SMS message is received from the premium service the broadcast receiver will intercept and delete the message before it can be displayed to the user. The broadcast receiver may also monitor for a specific key word in the SMS messages to intercept and delete. Vidro is representative of most SMS Trojans, it requires users to agree to a fake terms of service, subscribes the device to a premium SMS service to incur additional charges to the victim’s mobile phone bill, and then will actively cover its tracks by deleting any evidence of its activity.

SpamSoldier – In late December 2012 Android malware had reached such popularity that it was being used to distribute malware on other platforms. The SpamSoldier Trojan contacts a remote C&C server and downloads a list of phone numbers and a message body to the infected device. The Trojan then sends an SMS message containing the message body to each phone number downloaded from the C&C server. Researchers at Fortiguard captured a message sent by one of the SpamSoldier Trojan samples, here is the example:

“You’ve just won a $1000 Target gift card but only the 1st 1000 people that enter code 7777 at http://holyoffers.com can claim it!”

Clicking the link only leads users to a scam website where many individuals have been defrauded for a considerable amount of money. The SpamSoldier Trojan well report to the C&C server that the spam SMS message have been sent. Additionally, in an effort to conceal the malicious SMS activity the Trojan deletes the spam messages from the device outbox and intercepts and deletes all incoming SMS messages that are not from a phone number of a device contact.

2013

In the first quarter of 2013, of the 210 million smartphones sold worldwide 156 million of them were running on Android (Gartner). Android sold more devices in a single quarter than any competing platform sold in the entirety of 2012. Not keen to miss out on the fun Android malware is keeping pace. In the first quarter of 2013 there were roughly 157,000 unique android malware samples discovered; that’s 74% of malware samples discovered in all of 2012. The first quarter of any year has been historically the slowest for malware discoveries and it would be conservative to estimate that this pace will continue over the course of 2013. If this pace does continue we should expect to see over 600,000 unique malware samples discovered across the industry in 2013.

Arguably, Android is as dominant in the mobile industry as Microsoft is in the computer industry. As the use of Android has become so wide spread Android malware can now use very specific attacks that result in considerable gains for the author. In 2013 we start to see some examples of these targeted attacks. We also start to see the blurring of lines between Android malware categories. Malware authors are creating Trojans to deliver spyware and creating adware to deliver Trojans. The Android malware landscape is more complex than it ever has been before and using some kind of Anti-malware protection has become a necessity.

ChuliIn March of 2013 we witnessed one of the first targeted attacks using Android malware. According to Kaspersky labs “a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list.” The email contained a malicious APK file that appeared to reference a recent human rights conference in Geneva. This malicious file was in fact both a Trojan and spyware; once installed on the device the Chuli Trojan-spy would steal the SMS messages, call logs, contacts, and location of the device (along with some device specific information like model and android OS) and forward it to a remote command and control server. This command and control server is located in California but was owned by a Chinese company based in Beijing.

FakeKaKaoIn April of 2013 Tibetan activists were wise to the Android malware game and had selectively chosen an application called Kakoa Talk to communicate messages, images, videos, etc. Other applications were avoided due to the Chinese government putting pressure on manufacturers to allow them to monitor the application traffic. Kakao Talk was presumed safe until a Tibetan representative of parliament in exile received an email that contained a malicious “security update” for the application. The fake security update dubbed FakeKakao was also a Trojan spyware application. Once installed on the device the spyware would monitor and steal the device contacts, SMS messages, and and the cellular network location of the device. This stolen information is then forwarded to a remote server controlled by the attackers. It is speculated that the cell network location would only be useful to an attack that had knowledge of the cell network and could use this information to locate the victims. Further speculation by citizenslab.org suggests that this was actually a targeted attack by the Chinese government towards the Tibetan group.

BadNewsThis threat is one of those Android threats that blur the lines between malware categories. In mid-April 2013 Lookout discovered the BadNews Adware/Trojan. Badnews was essentially a malicious adware network used to in a series of 32 applications published on Google Play. Unlike other adware networks, Badnews was used to distribute SMS Trojans.

The Badnews applications would collect potentially sensitive device information and contact a remote C&C server. The C&C server would then issue commands for the Badnews application to display an advert on the infected device. Often the advertisement that was displayed was malicious and would declare that “update” was required for several popular applications. A link to the “update” was included in the malicious advert, if the user clicked this link an SMS Trojan would be downloaded to the device with an innocuous package name such as “Skype_Insataller.apk.” The SMS Trojan would then commit premium Service fraud and send SMS messages to premium SMS services and incur additional charges to the victim’s mobile phone bills.

It is unknown how many individuals were victimized by the SMS Trojans distributed on the Badnews network. However, it is known that applications containing the Badnews ad network were downloaded between 2 million and 9 million times combined making Badnews one of the most wide spread Android malware infections to date.

Obad – In June Kaspersky Labs researcher Roman Unuchek uncovered the Obad Trojan. Obad will perform the usual malware tricks and send SMS messages to premium rate SMS services, download and install additional malware without the user’s knowledge and steal information from the device. Unfortunately that’s not all; this Trojan also exploits previously unknown vulnerabilities in the Android security model, actively disrupts commonly used analysis tools, uses unusually advanced code obfuscation, and can spread via Wi-Fi and Bluetooth. Obad is the undisputed belt holder and champion of “Most Sophisticated Android Trojan.”

Due to a previously unknown vulnerability the Obad Trojan is nearly impossible to uninstall. When The Obad Trojan is installed it requests Device Administrator privileges. Any application that is granted Device Admin privileges cannot be uninstalled until those privileges are revoked. Revoking Device Admin privileges is normally done by going to the Settings/Security/Device Administrator menu and removing the application from this list. The Obad Trojan exploits a security vulnerability that allows it to remove itself from the Settings/Security/Device Administrator list while maintaining the Admin privileges. The user of the device cannot revoke the Trojan’s Admin privileges and cannot uninstall the Trojan without doing so.

The Obad Trojan will harvest device information and establish a connection to a remote command and control (C&C) server. This server can issue any of the following commands to be executed by the Trojan:

  • Compose and Send SMS messages to phone numbers specified by the C&C server (response messages will be monitored and deleted)
  • Test C&C server connection
  • Retrieve and send the user’s phone account balance
  • Act as a proxy
  • Connect to specified URL
  • Download and Install additional malware
  • Send list of installed applications
  • Send user’s contacts
  • Execute any device function
  • Send files to other Bluetooth devices

To make matters worse Obad will also execute an SUID command which can potentially grant the Trojan root privileges of the device. If the Trojan successfully obtains root privileges it will be able to perform any device function. Root privileges are serious business and allow the Obad Trojan to download and install additional malware to the device without the user’s knowledge or consent.

Obad is capable of spreading to other devices that are connected to the same Wi-Fi network or via Bluetooth. The Trojan will copy itself and any other malicious applications it may have installed from the C&C server and transmit the copied malware files to other connected devices.

Finally, Obad makes analysis by malware researchers a frustrating affair. Obad uses an advanced level of obfuscation that makes the code much more difficult to analyze, some of the code is even encrypted multiple times for further obfuscation. Additionally Obad exploits another previously unknown vulnerability in software called DEX2JAR (commonly used by researchers to crack APK’s and extract the original source code) that disrupts the conversion from Dalvik code to, more easily analyzed, Java code.

Thankfully the Obad Trojan has not yet infected a significant number of devices. However, if the Obad Trojan were to become more prominent it would be an outright nightmare.

yeswescanAntiObScanIn another example of a targeted Android malware attack fans of popular musical artist Jay-Z fell victim to the AntiObScan Trojan. AntiObScan was discovered in early July of 2013; the Trojan was pirated version of the application “Magna Carta Holy Grail’ which contained an advanced copy of Jay-Z’s new album exclusively for Samsung users. The AntiObScan trojanized version of the application waited for July 4th 2013 and changed the wallpaper of all infected devices to an anti-Obama image. The wallpaper image referenced the NSA spying scandal that was exposed in mid 2013. The wallpaper contained the following messages:

  • YES WE SCAN (an alteration of the Obama campaign slogan Yes We Can)
  • OBEY US
  • CONTROL
  • WE ARE WATCHING YOU

This Trojan also registered a new service on the device called “NSAlistener” which actually had no affect on the device but was surely worrisome to the victims of this Trojan.

This Trojan is another example of a very specific attack having wide spread affects. The legitimate Jay-Z application was very popular but was only available to Samsung users; the malware author exploited the desire of non Samsung users to get the exclusive application and spread a political message via an Android Trojan. Android has become so popular political activist are becoming malware authors to spread their message. Watch out world.

Android Malware is Here to Stay

This was previously mentioned at the beginning of this article but it’s worth mentioning again. The majority of the threats discussed in this article are still active in 2013, the exceptions being any malware that was set to execute its payload on a specific date and the DROID09 phishing scam.

In this article we covered 19 Android malware families; it should be emphasized that there are a great number of Android malware families that were not discussed. Armor for Android detects approximately 280 unique Android malware families with an endless number of variants in each malware family. The threats discussed in this article were selected for a variety of reasons. Some were selected because they were the first of their kind, others because they were highly malicious or they affected a large number of people. Some were simply selected to lighten the overall mood of this somewhat doom-saying article. The 260+ malware families that did not make it into this article are just as much a threat as the ones that did.

Google makes a valiant effort to curb malware and protect users by developing and improving the Android operating system. Only 12% of Android malware target the Android OS Jelly Bean (4.1.x or 4.2.x). It would be great if all Android devices operated on Jelly Bean, or even the majority of devices. But 62% of all Android devices operate on older versions of the Android OS leaving them exposed to a vast landscape of Android threats. The reason there are so many devices running on an older version of Android is that Google officially releases Android updates but it is your mobile service provider that pushes these updates to your device. Often mobile service providers will take time to customize the update before pushing it to their customer’s devices and this process can delay the update significantly. Mobile service providers are also notorious for not sending updates to devices older than 24 months old which leaves older devices vulnerable.

Regardless of which version of the Android OS is running on your device we recommend that you use an antivirus application of some kind. At Armor for Android we are proud of the product we produce and we recently received a 98.2% detection rate in an independent test performed by internationally recognized AV-Test.org. However, if you should chose not to use our product please use some kind of AV application on your device. Don’t be a victim of Android malware. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

androidthumb1

Pros and Cons of Rooting Your Android Device

By James Green ~ April 16th, 2013 11:44 PM MST

androidwarhol

To root or not to root, if your reading this article that’s probably the question. Rooting your Android device allows users a higher level of customization than already available on the Android platform. But rooting isn’t for everyone, there are absolutely advantages to rooting your device but they do not come without risk. In this article we will present you with the facts and encourage you to weigh them for yourself to decide if rooting is the right choice for you. To start, lets quickly review the rooting process and what rooting does to an android device.

What is Rooting?

The Android operating system is an open source platform and is already highly customizable but some limitations remain. Carriers often install and lock applications (lovingly referred to as bloatware) on to a device prior to sale. Other limitations come in the form of safety mechanisms deigned to protect users from themselves. Rooting your Android device is a way to bypass all of the predefined limitations of Android.

By rooting your android device you essentially become the device administrator. System administrator access, also known as root access or super user access, allows the user to control and change the operating system of their device as they see fit. By “control and change the operating system” we mean everything… everything can be adjusted from flashing custom ROM’s to changing the speed and power of the processor. Depending on how experienced you are with Android technology the idea of such high level of customization may have you drooling over the possibilities or turning and running for safer pastures. Before we discuss the pros and cons let take a quick look at the process of rooting the device.

If you root your Android device be aware that the process will wipe all information off the device.  Any important information that you need to keep should be backed up prior to beginning the process. Also know that the process of rooting your device is not comparable to a microwave dinner ready in five minutes, there will be some preparation and execution involved that will require time. Make sure that you have enough time available because stopping the process halfway may result in the device being ‘bricked’ which will render the device about as useful as, you guessed it, a brick.

The process of rooting an Android device is unique to each model and operating system. You will need to search the internet to find a rooting process that will work with your specific device. Be sure that rooting tools that you are using will successfully root your specific device, model, manufacturer, and operating system. Using the wrong root tools could lead to the device being ‘bricked’.  As with installing application, users should research the source of their rooting tools before forging ahead with the process to ensure that the source is safe and trustworthy.

Now that we understand what is meant by rooting an android device let’s start stacking up the pros and cons of rooting so that you can decide whether or not rooting your device is right for you.

Pros:

Remove Preinstalled ‘Bloatware’ – Carriers and manufacturers have been known to install applications that cannot be removed from the device, often times these applications are unwanted by users. Once a device has been rooted the user will have the necessary privileges to remove any manufacturer or carrier bloatware they do not want.

Custom ROM’s & Unofficial Updates– The Android community is full of unofficial developers who customize Android software packages, stripping them of unnecessary features, optimizing performance, or even heavily customizing ROM’s to change the look and feel of the operating system entirely. Not only are there custom ROM’s that provide advanced modification but for users who have an older device that their carrier has stopped pushing operating system updates for, rooting the device provides an avenue to install the latest up to date operating system.

Custom Themes – A custom theme allows users to customize the look and navigation of their devices. Users can install custom icons and backgrounds, change the display organization and even create specialized menu navigation like side bar menus that are present on all device home screens. Essentially if you can dream it you can build a theme to make it a reality on your rooted device.

Root Only Applications – Root only applications can even be found in the Google Play market. There are far too many different root only applications to describe them all; a few of the most essential root only applications were highlighted by Androidpiolice.com which can be viewed by clicking here, here, and here. Wi-Fi tethering is one of the essentials that allows users to turn their mobile device into a Wi-Fi hotspot that can provide internet access to your laptop or other mobile devices while not paying for a an additional data plan. (Armor for Android is in no way endorsing Wi-Fi tethering, only pointing out that it can be done.)

Increased Device Performance – Through root applications the device performance can be adjusted. Overclocking the processor can increase processor speed while underclocking the processor when the device is not in use can increase battery life from hours to days. The android community develops and improves the android kernel increasing device speed and providing better power management. The latest kernel is often more stable and more efficient than the one installed by the manufacturer. A rooted device also has the ability to update the Basebands, updating the Basebands can improve network signal and call quality.

System Backup and Restore –  Applications, files and settings can be backed up and restored on rooted android devices. This is a handy feature for trying a new custom ROM. You can back up your device as it currently is to the SD card and flash a new ROM to the device; if it isn’t what you were looking for simply restore the device to the way it was from the SD card.

Cons:

brick1

‘Bricking’ the Device – During the process of rooting your Android device your run the risk of a failure or a malfunction that can ‘brick’ the device. To ‘brick’ a device is to completely break it leaving it no more useful than a brick or a paperweight. If a device is ‘bricked’ there is little to nothing that can be done to repair it and it will likely need to be replaced.

Device Hardware Destroyed – If the device is successfully rooted you are still not out of the woods. If you choose to tinker with the hardware of the device keep in mind that the manufacturer did extensive testing to find the safest, most efficient settings. Adjusting the settings (such as overclocking) on the device too much can lead to destruction of the hardware. For example, if you chose to increase power to the processor you may burn out the processor or pixels on the screen due to too much power.

Voided Warranty – Rooting your android will likely void the warranty of the device. In the event that the device is bricked or some of the hardware is destroyed the manufacturer or carrier are unlikely to provide you with a replacement device. No one wants to spend several hundred dollars replacing a device, so if you are wary of your technical skills be careful if you chose to root your device. Once the device is rooted you’re on your own.

Software Updates – Once a device is rooted software updates to the latest Android operating system may not be work. If you try to update to the latest Android operating system from a rooted device it can lead to the phone being returned to factory settings, a boot loop (the device continually reboots but never finishes booting), or even the device being ‘bricked’. Updating to the latest android operating system from a rooted device can lead to the loss of data that has not been previously backed up. Custom ROM’s also have a tendency to release frequent updates to patch bugs and improve performance that can be as frequent as multiple updates a week.

Increased Security Risk – A rooted device has a higher risk of becoming infected with Android malware. To gain root access of any device the default security settings of the Android operating system must be bypassed which makes the device more vulnerable to potential threats. Even if the ratio of legitimate applications to malware applications were to remain constant, a rooted device has a higher risk of downloading malware because it has access to a larger selection of applications. If you chose to root your device it is especially important to install an antivirus application to help detect potential threats before they are installed on the device.

Our Two Cents:

At Armor for Android we don’t have a universal stance for or against rooting your device. What we do recommend is that all users consider the Pros and Cons carefully before making their decision. A rooted device has a great many advantages that can increase the productivity, and your enjoyment, of the device. However, non technically savvy users that attempt to root their devices may find that it is more than they bargained for and they run the risk of turning their shiny new smart phones into really expensive bricks. A rooted device, whether or not you are technically savvy or technically curious, is at a greater risk to malware and steps to protect the device should be taken. As always, we recommend that you install and use an antivirus application. We wholeheartedly recommend Armor for Android; but if you decide against our application, please use some kind of antivirus. Finally, it is always smart to back up your information before and after the rooting process as there are a multitude of ways that your important information can be lost. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA