Author Archives: James Green

About James Green

James Green is a information security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users.

ezgif.com-gif-maker

Join the Battle for Net Neutrality! Protect the Net!

By James Green ~ September 10th, 2014 9:00 AM MST

Wednesday the 10th of September websites across the net have joined the Battle for the Net, and are displaying a spinning progress bar to raise awareness for net neutrality. Internet providers are trying to pass a law in congress that would allow them to create a paid internet “fast-lane.” This would allow internet providers to segregate data and charge customers a higher rate based on the content they are accessing. We cannot allow this to happen.

The internet is currently an equal playing field for everyone who accesses it. An internet “fast-lane” would benefit people who could afford to pay higher rates and hurt those who couldn’t, small businesses would be forever at a disadvantage to larger corporations. The law the internet providers are pushing congress to pass is nothing more than a money grab, and terrifyingly congress is seriously considering passing it.

It only takes 60 seconds for you to defend the net.

  • Visit the FCC’s at http://www.fcc.gov/comments.
  • Select proceeding 14-28 “Protecting and Promoting the Open Internet,” this should be near the top (as of this writing it is third on the list).
  • Fill out your information in the boxes provided, please use your real information.
  • In the comments box write, “I want internet service providers classified as common carriers.” If you feel strongly about protecting the net, and we hope you do, leave your own message as well.

It takes no time at all to tell congress that you want the internet to remain open and fair. Don’t let internet providers change the structure of the net.

Join the Battle for the Net by following this link.

Battle for the Net has also created a great infographic outlining the dangers of the purposed law change, we have published their infographic below.

infographic-v4

featuredFEB

Android Malware Roundup – June 2014

By James Green ~ July 1st, 2014 8:00 AM MST

Summer Android(1)

June was a busy month, full of numerous new mobile threats. Ransomware style mobile malware took the media by storm and has become one of the most prolific new threat types of 2014. Sadly the reason ransomware has become so popular is because it is so effective, and yet if users backed up their data more regularly we could starve out the ransomware malware category. I cannot stress enough the importance of performing regular a backup on your device, this will save you total data loss and a major headache in the long run.

Below is a summary of the mobile threats discovered in June, 2014, presented in chronological order of discovery (to the best of my ability). Further information about each threat can be found by clicking the links provided in the sub-title or text. I love feedback and I am always happy to answer questions so please feel free to contact me via email or twitter.

Malware Pre-installed on New Devices

Brand new devices being sold in the US and UK on Amazon have been discovered hosting pre-installed Android malware. Ominously named ‘Skaynet,’ reminiscent of the Terminator self-aware computer program Skynet, these devices contain the Uupay Android Trojan disguised as the Google Play market.

The Uupay Trojan is capable of collecting a significant amount of sensitive device information and sending the information to a remote server located in China. The most dangerous feature of this malware is its ability to remotely install an application on an infected device without the user’s knowledge or permission. The remotely installed applications can have an endless list of malicious functions and may be capable of operating in the background, while the device owner is completely unaware of the malicious activity.

Snapchat Spam Promotes Android Malware

In late May, early June, it was discovered that spammers had taken to Snapchat and promised users free Google Glasses if they visited GlassforSnap.com. This website was hidden from desktop users but mobile users found the advertised website confirming the false promise of free electronics. The catch? Users needed to complete a single “sponsor offer” to qualify. The sponsor offer required the user download a particular application. 

flappytimeline

The application download process varied across operating platforms and between regions. GlassforSnap.com targeted only Android users in Europe, Asia, and South America with Android malware and sneaky premium SMS subscription services. All users who did not fit the scam profile were told that they did not qualify for the offer. In the end no users got a free pair of Google Glasses but a select demographic received Android malware and expensive premiums SMS charges on their mobile phone bills.

Mobile Ransomware – A trendy Threat

If a malware award show existed mobile ransomware would win ‘best newcomer.’ The first mobile ransomware threat was discovered in June 2013 but in recent months the malware category has seen significant growth. In June 2014 four new mobile ransomware threats were discovered.

CryptoSvpeng

The three Android ransomware threats (Cryptolocker,Svpeng, and Simplocker) lock devices (or encrypt data) under the pretense that illegal pornographic material has been discovered. The threats demand a fine be paid (of varying amounts) under the guise of an official sounding government agency.

Cryptolocker and Simplocker both lock the device but are incapable of encrypting files, both also demand payment via a payment system called MoneyPak (Cryptolocker demands $300 ransom, Simplocker demands $200 ransom). Svpeng is the first mobile ransomware threat capable of encrypting files and will do so to select files types found on the SD card of an infected device. Svpeng is the least costly, demanding roughly a $20 ransom through PayPal.

When Flappybirds Attack

We’ve reported on the Flappybird malware epidemic a few times. The reality is this, the official Flappybird game no longer exists on any mobile platform (for the time being). It is likely that any app claiming to be Flappybird is some form of malware (SMS Trojan, Spyware, etc). DO NOT INSTALL FLAPPYBIRD UNTIL FURTHER NOTICE.

South Korean Banking Trojan

Discovered by CM Security Research Lab, an application disguised as a game or a third party application market is stealing banking credentials from South Korean Android users. Once installed, the threat will detect if there is a legitimate banking application installed on the device, it will then suggest the legitimate banking application requires an update. If the victim confirms the “update” the Trojan will download a fake banking application to replace the legitimate one. The fake banking app will request the victim’s username and password, bank account number, and “bank security card number” and forward this information to the cybercriminals responsible.

Once the sensitive information is stolen the app displays a pop-up window stating “No Wi-Fi connection. Use 3G or try to connect to the Wi-Fi again.” Closing the pop-up window closes the app and removes the app icon from the app menu.

Banking Trojans are a particularly dangerous form of mobile malware and, unfortunately all too common. Reportedly this banking Trojan variant has already victimized about 100,000 South Koreans.

Government Condoned Hacking Team

Hackers and Governments seem like natural enemies, but on the contrary these two natural rivals are cooperating to the detriment of the public. Italian company ‘Hacking Team’ has created commercial Remote Control System (RCS) spyware which they are selling to governments across the world. The RCS malware is compatible with any mobile operating system platform (Android, iOS, Windows Phone, Blackberry), and reports stolen information back to C&C servers to be collected by potential government agencies.

top10

Kaspersky researchers uncovered a unique signature which they used to identify 326 RCS C&C servers worldwide. The country hosting the largest number of RCS C&C servers (64) was the United States, followed by Kazakhstan (49), Ecuador (35), the UK (32), and many, many other nations. While it isn’t possible to conclusively prove these C&C servers are owned by government agencies speculation suggests this is likely the case. The WHOIS information related to the C&C server IP addresses is identified as “government,” and hosting the C&C servers locally prevents entanglement in international privacy laws.

RCS malware can be installed remotely on mobile device connected to infected Windows and Mac computers. The malware is capable of monitoring almost all device processes incuding, Voice recording, monitoring email, SMS messages and MMS messages, web activity, call history, GPS location and even the device camera.

Android Selfie Malware

Believe in your selfie, but don’t believe in spammy malware. Selfmite is a SMS worm-style form of Android malware, proliferated through text messages from friends with infected devices. Adaptive Mobile, who discovered this malware, wrote that victims receive a SMS messages stating “Dear [NAME], Look the Self-time,http://goo.gl/******.” The link leads to a APK package called ‘The Self-Timer,’ this application is the Selfmite worm malware.

Once installed, the malware will send the same infection SMS message to all contacts listed on the device. Then Selfmite opens the device browser to another URL where it downloads and installs an application known as Mobogenie. The worm malware installs Mobogienie because it has a affiliate program that pays per install, Selfmite exploits this affiliate program to make money.

Android Protection

Android malware dominates the mobile malware landscape representing the vast majority of all mobile malware. Android users can take simple steps to avoid falling victim to this very real threat. Keep the following tips in mind while using your Android device to avoid an Android malware infection.

  • Install and use and Android anti-virus application on your device. Stay current with antivirus application updates to ensure that you are protected from the most recent threats.
  • Be sure to stay current with all other application and Android OS updates as these often contain patches for recently discovered security vulnerabilities.
  • Avoid downloading application from untrustworthy sources.
  • Review application permissions before downloading. Unnecessary application permissions such as a calculator application requiring SEND_SMS permission can be a red flag indicating malware.
  • Read user reviews of applications before downloading and look for a strong web presence. Applications without a developer website, Facebook page, twitter account, or customer support number should be considered suspicious.
  • Back up your data regularly to prevent data loss in the event of a mobile malware infection.♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com, Twitter: @James_AfA

featured

The All-In-One Mobile Spyware Tool for Governments

By James Green ~ June 27th, 2014 2:00PM MST

Header2

Italian company ‘Hacking Team’ has developed an enterprise version of Remote Control System (RCS) malware that can be used to infect a mobile device on any major operating system platform including iOS, Android, Windows Phone, and Blackberry. One of the most dangerous aspects of this malware is it is not used by “criminals,” rather it is believed this malware is bought and used by governments.

The RCS threat created by the Hacking Team was uncovered by Kaspersky labs. Researchers were able to identify a signature within RCS command and control (C&C) servers and used this unique signature to identify 326 RCS C&C servers worldwide. The largest number of C&C servers located in a single country was 64, found in the United States. The top ten countries hosting RCS C&C servers are as follows (image credit Kaspersky).

top10

These C&C servers are used to communicate and control devices infected with the RCS malware. While there is no way to associate any particular Government agencies to any particular server, the WHOIS information tied to IP addresses for these servers was identified as “government.” It is also fair to speculate Governments using the RCS malware to spy on citizens would be wise to host the C&C servers within their own borders to avoid any international legal implications.

According to the research team at Kaspersky labs, both the Android and the iOS versions of this malware have similar capabilities. It is likely that the blackberry and Windows phone versions of this malware share the same capabilities, though they were not included in the report. RCS malware can monitor an alarming number of device activities, including:
code

  • Control of Wi-Fi, GPS, GPRS
  • Recording voice
  • E-mail, SMS, MMS
  • Listing files
  • Cookies
  • Visited URLs
  • Cached web pages
  • Address book
  • Call history
  • Notes
  • Calendar
  • Clipboard
  • List of apps
  • SIM change
  • Live microphone
  • Camera shots
  • Support chats, WhatsApp, Skype, Viber
  • Log keystrokes from all apps and screens via libinjection

All RCS malware can be installed remotely on any of the target device types when connected to an infected Windows or Mac computer. The iOS version of the RCS malware can only be installed on a jail broken iPhone. This may appear to limit the effectiveness of the RCS malware but, fortunately for invasive government agencies, the RCS C&C servers are also capable of jail breaking connected iOS devices via infected computers. The RCS C&C servers even have an intuitive GUI interface that executes installation and jail breaking with just a click of a button.

blogpost_kl_hackingteam6

1984 in 2014

It is alarming professional malware programmers are backed by state actors to spy on citizens. The convenience is blinding us from the fact technology can be used to completely invade the privacy of our everyday lives. The reality is that most of us rely on computers and technology for our livelihoods and could not afford to surrender our technology to ensure our privacy. But there a few things you can do to regain some of your privacy.

  • Cover the webcam on your computer or laptop when not in use.
  • Disable or disconnect computer microphones when not in use.
  • Disable Geo location features on your mobile device.
  • Use secure, encrypted instant messaging apps like ChatSecure instead of the default SMS client.
  • Use secure, encrypted calling clients like Cellcrypt to protect your conversations.
  • The TOR project is a great browser to ensure anonymity online and prevent anyone spying on your web activity.
  • If your going to have a sensitive conversation don’t do it in the same room as any cellphones or computers. The US government has a no electronic policy in the situation room for this very reason.♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

terminator featured

Sk(a)yNet is Taking Over, The Machines Have Turned Against Us

By James Green ~ June 25th, 2014 3:45 PM MST

terminator banner

Skynet is the self-aware artificial intelligence system from the Arnold Schwarzenegger action flick, Terminator. Now there is a real computer program looking to overtake the human race, and it is ominously called Skaynet.

Now we don’t expect Skaynet to be starting WWIII any time soon but it is a pretty nasty little Android device that, for your convenience, comes preinstalled with Android malware. Skaynet is a low-end Android phone sporting reasonably impressive specifications (1GB RAM, 5-inch 720p screen, 3g dual-SIM, Android 4.2). Priced around $160 new on Amazon Skaynet would draw the attention of any Android user looking to cheaply replace a lost, stolen, or out of date phone.

n9500-590x330

But like John Connor, you shouldn’t be fooled by Skaynet. These specifications are all a clever ruse to sell a malware infected device. The screenshots on the Skaynet device listing show that Google Play is installed, however, this is not truly the case. While the application installed appears to be Google Play it is actually a Trojan in disguise, detected as Armor.Trojan.Uupay.  

208213031The Uupay Trojan was discovered in March, 2014, by Kaspersky Labs Expert Dong Yan. This Trojan has an extraordinary list of permissions that grant it access to nearly all device functions. The Uupay Trojan allows the Skaynet device to monitor device activity and collect information to be sent back to remote servers in China.

But most worryingly of all the Uupay Trojan has the capability to remotely install additional application without the user’s knowledge or permission. Anonymous apps installed on a device can have any number of malicious functions and the user may be completely unaware of background malware activity.

Thankfully Amazon has finally pulled this phone from their market. But anyone who may have purchased the ominous, malware infested Skaynet device should seek a new device as soon as possible.♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

Mobile Ransomware Targeting Android and iOS

By James Green ~ June 18th, 2014 4:30 PM MST

header

Ransomware has become one of the most dangerous new forms of mobile malware. Previously exclusive to the desktop platform, this form of malware was a very successful means for cybercriminals to extort money from victims. Then, almost exactly a year ago, Android.Defender became the first ever ransomware style threat to target Android devices. Until recently mobile ransomware lay somewhat dormant, the only real development being a variant of Android.Defender found in late 2013. But within the last two months there have been four new mobile ransomware threats discovered (three for Android and one for iOS).

All three Android ransomware threats are downloaded as fake Android applications and are capable of locking or encrypting data stored on infected devices. The iOS ransomware is a not an app but a vulnerably in the antitheft feature normally used by iPhone and iPad owners to remotely lock a lost or stolen device. This feature is exploited by cybercriminals to lock the victim’s device and hold it for ransom.

iOS Ransomware

Oleg_PlissThe iOS ransomware hack is novel. Cybercriminals created a phishing website designed to steal login credentials for iCloud accounts. The stolen information was then used to gain unauthorized access to victims’ iCloud account and use the “Find My iPhone” feature and enable “Lost Mode.” Enabling “Lost Mode” allows the cybercriminals to remotely lock the device and display a message to the victim. It was widely reported that victims received a message stating their device had been “hacked by Oleg Pliss” and demanded a ransom between $50-$100 be paid to a designated PayPal account.

Fortunately there is a workaround for this iOS ransomware. Victims who already use a lock screen PIN number to protect their device will be able to immediately unlock this ransomware hack. The default PIN number used when ‘Lost Mode’ is enabled is the same PIN number used for the device lock screen and this cannot be changed by the cybercriminals. Alternately victims who do not use a lock screen PIN number can take their infected device(s) to an Apple store and have the device restored to factory settings. Restoring the device to factory settings will unlock the victim’s device but also result in the data loss, which is why it is important to back up your device regularly.  

Android Ransomware

Mobile malware primarily targets Android for its popularity and open infrastructure, this is why mobile ransomware debuted on the Android platform and has seen greater development. Android malware is most prevalent in Russia and as such Russian Android users are normally the target of new Android malware. However, these forms of ransomware broke the mold and have been observed targeting 35+ countries including the US and UK.

May 2104 marked the first great development in Android ransomware when Cryptolocker, wildly successful PC ransomware, migrated from PC to Android. On the Android platform Cryptolocker (also detected as Koler) locks an infected device under the pretext of viewing “banned pornography (child pornography/zoophillia/rape etc).” This ransom message appears to be from a legitimate sounding government agency (ex: USA Cyber Crime Center) from numerous different countries. The message goes on to say the victim must pay a fine in order to regain access to the device, failure to pay will result in the contents being permanently deleted and a criminal case being brought against the victim. At $300 to unlock the device Cryptolocker has the highest ransom of the three Android threats.

CryptoSvpeng

The second most expensive Android ransomware threat is a new version of the Svpeng Trojan which demands a $200 ransom. This Svpeng variant was discovered a month later in June and shares many similarities to the Cryptolocker ransomware. Both threats use the guise of a government agency locking a device for viewing illicit pornography, and both demand payment be made via a system called MoneyPak. Both threaten to publicly embarrass the victim, instead of criminal prosecution Svpeng threatens to send messages to all device contacts informing them of the victim’s illicit pornographic activities.

It is odd that the most capable  Android ransomware is also the threat with the least expensive ransom.Simplocker is the only Android ransomware yet discovered that is actually capable of encrypting files on the victim’s device. Once installed the threat displays a ransom message and begins encrypting certain file types on the SD card. This ransom message is in Russian and also states that illicit pornographic images were detected. The ransom is demanded in Ukranian currency for the amount of 260 UAH, which amounts to about $20 USD. According to the ransom message, failure to pay will result in all encrypted files being lost.

Protect Your Mobile Device

First of all, we would like to urge users NEVER to pay a ransom! There is absolutely no guarantee paying the ransom will unlock your device or decrypt your files. Furthermore paying these cybercriminals encourages further crime, if the crime isn’t profitable they will stop.

For iOS users it is important to protect your iCloud account with a strong password and protect your device with a lock screen PIN. For assistance creating as strong memorable password follow this link. The top two password creating tips are: Never use real words in a password (in any language), and include upper and lower case letters, special characters, and numbers. A lock screen PIN number will help protect against this particular ransomware threat as well as prevent unauthorized access to your smartphone and all of the sensitive information it contains A smartphone lock screen is good personal security.

 For Android users it is important to be skeptical and review all applications before installing anything. Avoid untrustworthy sources and if you have any concerns you should research the application and app developer online. Look for a developer website, customer service number, and social media page and review each to establish credibility.

Users of both iOS and Android devices should regularly back up their data to a computer or cloud storage. If  your device is infected with a ransomware threat we recommend that you turn it off immediately and factory reset the device. 

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

androidmalwaremobileiphone-150x150

iBanking: The $5,000 Android Malware-as-a-Service Threat

By James Green ~ June 2nd, 2014 4:20 PM MST

androidmalwaremobileiphone

Malware-as-a-service (MaaS) has been a popular cybercriminal industry of late. From humble beginnings as a SMS stealer, iBanking became a powerful Android Trojan used to steal banking credentials from victims. The $5,000 price tag for this malware meant the clientele was mostly organized cybercriminal games with a sizeable amount of liquid capital, keeping the customer base and global infection rate minimal. That was until the iBanking source code was leaked onto the web in February, and since then iBanking activity has increased dramatically.

The Android iBanking Trojan is used to overcome the 2-step verification process that many modern banks use. Online banking often requires that the bank customer enter a special PIN number to log in to their bank account, these PIN numbers are sent via SMS message to the customers mobile device. Android iBanking Trojans seek to intercept these PIN numbers and so cybercriminals can gain access to the victim’s bank account.

Often the victim’s computer will already be infected with banking malware that will prompt the user to download an Android application for additional security. The user enters their contact information to receive the Android security app and they are sent a link to download the Android iBanking Trojan. Once installed on the device the iBanking Trojan begins to monitor all incoming and outgoing SMS messages and uploading their contents to a remote server controlled by the cybercriminals. Once the cybercriminals have obtained to the banking credentials they can then use the PIN number to gain access to the victim’s online bank account.

The Android iBanking Trojan is capable of stealing more than SMS message, as proven by twitter user ReVOLVeR who unintentionally uncovered the iBanking source code and may have been party to it being published on the internet. ReVOLVeR was investigating the theft of 65,000 Bitcoins from a friend which he attributed to a mobile device infected with the iBanking Trojan app. ReVOLVeR believes that the iBanking Trojan was used to steal the username and password for the Bitcoin wallet containing the Bitcoin fortune. The investigation was live tweeted from ReVOLVeR’s twitter account and in the process of the investigation this hacker demonstrated some of the other information that can be stolen by the Android iBanking Trojan.

The malicious features of the Android iBanking Trojan include the following:

  • Stealing phone information –phone number, ICCID, IMEI, IMSI, model, operating system
  • Intercepting incoming/outgoing SMS messages and uploading them to the control server
  • Intercepting incoming/outgoing calls and uploading them to the control server in real time
  • Forwarding/redirecting calls to an attacker-controlled number
  • Uploading contacts information to the control server
  • Recording audio on the microphone and uploading it to the control server
  • Sending SMS messages
  • Getting the geolocation of the device
  • Access to the file system
  • Access to the program listing
  • Preventing the removal of the application if administrator rights are enabled
  • Wiping/restoring phone to the factory settings if administrator rights are enabled
  • Obfuscated application code

While the source code for this Trojan is available for free online it is likely that organized groups of cybercriminals will likely continue to pay for the Malware-as-a-Service to receive software updates and product support.

Common Sense Protection

All too often we do not listen to our inner skeptic but we must learn to. The internet is rife with social engineering tricks and scams that are aimed at embezzling your money or sensitive information. Be safe and be skeptical.

  • Always research applications prior to installing any kind of software on your computer or mobile device. Review the developer’s website and look for customer service details, also review the developer’s social media pages to see what other people are saying about them.
  • Stay current with updates. Updates often contain patches to newly discovered security vulnerabilities and help to protect against cyber attacks.
  • Install and use some kind of antivirus software. AV software is designed to inform you before you make a terrible software mistake.

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

Snapchat Spam Promoting Android Malware

By James Green ~ June 2nd, 2014 6:00 AM MST

Snapchat-logo

One of the most popular photo messaging applications for sharing goofy and occasionally risqué photos has been exploited by cybercriminals to promote Android malware. These Snapchat spammers have adopted a classic social engineering technique, free stuff. Snapchat users with public privacy settings received a snap from user “teanvuxedxtuzc” and discovered that they had been selected for the Google “Glass Explorer Program” and were eligible to receive a free pair of Google Glasses, courtesy of GlassforSnap.com.

GlassForSnapAccording to this snapspam, winners simply visit GlassforSnap.com and enter their Snapchat username to claim their free pair of Google Glasses. The reality was much more devious. Visitors have a very difference experience depending on whether they visit using a computer or mobile device, which type of operating system (OS) the device uses, and the device location. Visiting GlassforSnap.com from a computer simply redirects to the official Google Glass sales page where no pair of Glasses can be found for less than $1,500. But visiting SnapforGlass.com from a mobile device provides an entirely different experience.

The first two pages of GlassforSnap.com request personal information (Snapchat username, first/last name). These two pages are the same for all mobile visitors, thereafter things change depending on the mobile device OS and location. A popup box appears after completing the second page stating one final sponsor offer must be completed to unlock the free Google Glasses.

iPhonetimeline

iPhone users worldwide are prompted to complete an offer by downloading an app (in our experience the app was hotels.com but this may change). Clicking the offer to download the app redirects the visitor through several webpages before they are eventually told the offer is no longer available. Sorry iPhone users, no free Google Glasses for you.

When visiting GlassforSnap.com from an Android device it becomes clear that this Snapchat spam campaign is designed with Android users in mind. GlassforSnap.com targets individuals in Europe, Asia and South America, regions in which Android is the dominant smartphone OS. Depending on the geographical location of the device GlassForSnap.com redirects visitors to either a website peddling expensive premium SMS subscriptions, or a website distributing Android malware.

GlassforSnap.com targets users in Europe and Asia, two regions in which Android is the dominant smartphone OS. When Android users from these locations click to complete the final offer they are redirected to a either a website designed to subscribe the visitor to an expensive premium SMS service or a website that automatically downloads Android malware to the device.

premium SMS sample

During our investigation we discovered numerous premium SMS campaigns being promoted by GlassforSnap.com. These campaigns ranged from battery enhancing services to SMS diet plans and occasionally promised free prizes in return for registration. Premium SMS services have historically been a prime moneymaker for cybercriminals. The charges for these “services” vary, the most expensive campaign we witnessed offered services for $5.35 per day with a max of $37.45 per week and a one time $10.70 sign up fee. These incredibly expensive premium SMS services commonly re-bill until the victim cancels the service.

Visitors of GlassforSnap.com who are lucky enough not to be redirected to a premium SMS racket are unfortunate enough to be redirected to a website distributing some form of Android malware. In numerous countries the final offer to receive the free pair of Google Glasses is to download a Potentially Unwanted Program (PUP) called MoboGenie (please note this MobieGenie offer was also purposed to individuals redirected to premium SMS websites). Clicking the final offer begins a whirlwind of redirects that conclude on a website prompting the victim to download one of two types of Android malware; PUP mobogenie_152140508.apk, or a series of apps that are widely detected as MinimobSMS.

MoboGenietimeline

The Android MoboGenie PUP has a desktop cousin that also has a history of downloading itself automatically onto computers without permission. According to their website, MoboGenie is “an Android synchronization softwares and applications developer” but requires a laundry list of sensitive permissions which raise both security and privacy concerns. MoboGenie is capable of establishing a network connection on its own and connects to Voga360.com, a website that receives a 0% trust rating from ScamAdviser.com. Performing a quick Google search on MoboGenie reveals the internet is raft with suspicion regarding this PUP on any operating platform. MoboGenie has a tainted reputation and it certainly won’t be helped by being linked to this Snapchat spam campaign.

flappytimeline

The second form of Android malware distributed by GlassforSnap.com is MinimobSMS. This threat is much more malicious and is capable of subscribing victims to expensive premium SMS services. GlassforSnap.com redirects the device’s browser to “applist.lp.badabee.com/[censored]/[censored]” where numerous applications by developer BadaBee are listed. The webpage does not offer a disclaimer, and has neither a privacy policy nor terms of service; there are no outward links on this webpage at all. None of the applications listed have a description and all are detected as MinimobSMS malware.

Clicking on any of the applications will begin the download process. Once installed MinimobSMS threats collect a significant amount of information from the device (device ID, carrier, network operator, phone model, longitude, latitude, etc). The information collected is transmitted to a remote command and control (C&C) server where it is used to determine a compatible premium SMS service to subscribe the device to. The C&C server relays the premium SMS number to the MinimobSMS threat to send SMS messages from the device to subscribe to the premium SMS service.

getsmscode

The cost of the premium SMS subscription varies between region. In our investigation we discovered premium SMS services that billed daily and weekly. The total cost of these services ranged from $6.90 USD to as much as $40.50 USD per month. All of the premium SMS services involved with the MinimobSMS threat use recurrent billing and must be actively canceled by the victim. The following chart outlines the cost in the local currency and in USD and highlights the monthly cost of these premium SMS services. If you believe that you have been infected with a MinimobSMS Trojan we have also included instructions on how to cancel the premium SMS services in different regions.

graph

Premium SMS fraud is one of the most popular tactics used by cybercriminals because it’s profitable and often goes unnoticed for an extended period of time. It is important to review mobile phone bills carefully to make sure there are no erroneous charges. Contact the customer service department of your mobile service provider if you have questions about charges or need help reading your bill.

New Android Malware Infection Mechanism

Snapchat spam is a fairly new concept in itself but this is the first time we have seen Snapchat spam used to promote and distribute Android malware. GlassforSnap.com is novel in that it appears only to mobile visitors and redirects to the legitimate Google Glass website for desktop visitors. However, the Android malware that GlassforSnap.com distributes is par for the course, premium service fraud and potentially unwanted programs (PUPs) are some of the most common forms of Android malware.

As with all spam it is important to be skeptical, common sense is the strongest tool we have to avoid falling victim to Nigerian spam scams or Snapchat spam. A few general rules to keep in mind:

  • Never download programs or applications that you did not actively seek out
  • Always research applications and developers prior to downloading an app or program to establish credibility
  • If something sounds too good to be true (for instance free Google Glasses) then it probably is

Snapchat Privacy Settings

The Snapchat spam problem has cropped up in the past and the problem is isolated to users who have public privacy settings. Snapchat provides two privacy settings that determine who can send Snapchat messages to a particular account; users can receive snaps from “everyone” (public), or restrict their accounts to receive snaps from “my friends only” (private). Changing the privacy settings to private is the easiest way to prevent this type of Snapchat spam.

SnapChatSettings

The Snapchat settings menu is located in the top right corner of the incoming and outgoing Snapchat stream. Under the “Who can” menu heading the “Send Me Snaps” option is essentially the Snapchat privacy settings. If you are comfortable handling Snapchat spam (or are a security professional, like myself, who actually wants to receive and explore spam) you can opt to receive snaps from “Everyone.” For the rest of the world, if you want to avoid Snapchat spam you can select “My Friends” to block strangers, or spammers, from sending you unwanted Snapchat messages.

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

Android Worm Malware Leaves Victims Wriggling

By James Green ~ May 2nd, 2014 ~ 10:11 AM MST

hats (1)

There are few games more classic than Worms. For nearly 20 years friends have been attempting to destroy each other with a variety of weapons ranging from Homing Pigeons and Miniguns, to exploding Sheep and Holy Hand Grenades (the HHG being homage to the great Monty Python sketch). These worms, these happy worms, have created everlasting memories for millions throughout the years, but while these worms have been exploding for our entertainment a very different kind of worm has been causing havoc on computers and now Android devices.

In late April security firm ESET discovered an Android Trojan which they dubbed Android/Samsapo.A, as it turned out this was not your average Trojan. In addition to an armory of malicious functions Android/Samsapo.A also exhibited worm-like characteristics.

Security researcher Robert Lipovsky describes Android/Samsapo.A as “novel.” In terms of computers (PCs and laptops) worm malware is as old as the day is long, but worm-style malware is not something that is often seen on Android.

A computer worm is malware that will attempt to replicate in order to spread. Traditionally computer worms spread as email attachments or malicious URL links in instant messages. But since Android/Samsapo.A is a worm targeting Android devices, namely smartphones, it exploits the device’s ability to send SMS messages (text messages) to spread to additional victims.

A device infected with Android/Samsapo.A sends a text message to all of the contacts on the device. The message is written in Russian and translates to “Is this your photo?” The text message also includes is a malicious URL that links to the Android/Samsapo.A worm file. If the recipient of the text has the misfortune to click the malicious URL the Android/Samsapo.A threat is automatically downloaded to the device.

Android/Samsapo.A does not place an icon in the application menu and attempts to go unnoticed by impersonating a system application in the settings/application menu. Like real worms this threat prefers to stay hidden, and like our video game worms this threat can cause some serious damage.

The Holy Hand Grenade of Android/Samsapo.A is its ability to download additional files and applications. There is no way to tell what type of malicious function these downloaded files might have and there is a very long list of nefarious possibilities.

The worm-like features of Android/Samsapo.A make this a very unusual Android threat, however it does also display some more common malware characteristics. Among these more common features is premium service fraud. Android/Samsapo.A sends SMS messages to premium SMS phone numbers that will incur additional charges to the mobile phone bill. Android/Samsapo.A is also a substantial privacy threat and steals personal information, phone numbers, and text messages and uploads the stolen infomraiton to a remote server controlled by the malware author.

Android malware is becoming more complex and we are seeing a great deal of PC style threats make the transition to the Android platform. Android/Samsapo.A is another example of the advancement of mobile malware. We expect to see more and more of these type of threats in the future.

Protection Yourself

Virtual security is as much about antivirus software as it is good online habits. It is important to take your own security seriously, be skeptical on the internet. Keep the following tips in mind when using your Android device (or any internet capable device) to keep your personal information safe and secure.

  • Be Skeptical. Always read reviews and research applications and developers before downloading an app. Look for a customer support number/email, and social media account to ensure you have a means to contact the company if you have any problems.
  • Don’t download anything from an untrustworthy source.
  • Stay up-to-date with application and operating system updates. Updates are often designed to make your device more secure and patch newly discovered security vulnerabilities.
  • Install and USE an antivirus application. Antivirus applications help to detect and avoid threats.♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

Android Fragmentation Remains a Significant Problem

By James Green ~ April 4th, 2014 4:04 PM MST

banner(1)

The Android update process is a precarious thing. The path updates take from Google, to device manufactures, through mobile service carriers, to finally arrive on consumer devices is like playing the Game of Life, but moving one square at a time and by the end your car is packed with more people that it should rightfully carry. This lengthy and complicated update process is responsible for considerable fragmentation of the Android operating system (OS).

Android OS updates are not simply a matter of getting the latest themes or better emoji support. Updates often include patches to newly discovered security vulnerabilities such as the ‘master key’ vulnerability discovered in July, 2013. The master key vulnerability is a great example of what is wrong with the Android OS update process. The master key vulnerability allows cybercriminals to inject malicious code into legitimate applications that will go undetected by Android security features due to a flaw in how applications security signatures are checked.

MasterKeyGif

The master key vulnerability affects android versions 1.6 through 4.2. At the time of discovery approximately 900 million devices, or about 99% of all Androids operated on a vulnerable version of the Android OS. The master key vulnerability received a large amount of media coverage and Android users were understandably very concerned. Within weeks Google developed a patch for the master key vulnerability and it was released as part of the Android version 4.3 update. As of April 1st, 2104 (not an April fool’s joke) only 14.2% of Android devices have received the Andoird OS 4.3 update. Over eight months after Google patched the mastery key vulnerability a startling 85.8% of devices are still at risk.

OSdistribution

The blame for this mess falls squarely on device manufacturers and mobile service providers. Devices manufactured and distributed by Google, such as the Nexus series, receive updates almost immediately after they are released. Unfortunately, other device manufacturers and mobile service providers customize new versions of the Android OS, and install proprietary applications before the update is pushed to consumers. Frequently Android updates are held hostage for months by manufacturers and service providers while customers’ devices remain at risk to well known vulnerabilities.

In the PC world this type of delay is unheard of. Computer manufacturers and internet service providers do not withhold operating system updates from customers to install custom software. Neither Microsoft nor Apple allow manufacturers to fiddle and tinker with updates while customers remain at risk.

Android is often equated with Windows as both are the dominant operating system for their computing platform, but Android lacks the streamlined update process that Windows enjoys. The Android update process is a problem that badly needs to be addressed. Computing is experiencing a shift towards mobile devices that are more affordable and more convenient. Failure to address Android fragmentation makes Android less secure, undermines consumer confidence, and makes a large scale data leak or cyber attack a realistic concern.

Protect Yourself

Because Android is so fragmented Android users must take steps to protect themselves from malware. There are three simple things that you can do to keep your android device, and the sensitive information it contains safe and secure.

  • Install and use an Antivirus application.
  • Read user reviews and visit application developers’ websites before downloading to establish credibility.
  • Do not install applications from untrustworthy sources. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com, Twitter: @James_AfA

DHWDCdB

Dendroid: Making Android Trojans is a Breeze

By James Green ~ March 13th, 2014 2:26 PM MST

dendroid-malware

Creating an Android Trojan just got a whole lot easier thanks to commercial crimeware called Dendroid. Dendroid is a Remote Access Toolkit that can be used to turn any Android application into a back-door Trojan. And for only $300, Dendroid is a steal (pun intended).

Sold on the criminal underweb by an individual known only as “Soccer,” this crimeware allows even the most inexperienced cybercriminals to create powerful and dangerous Android Trojans capable of a litany of illicit activities. Dendroid advertises that it is capable if creating Android Trojans that can communicate with remote Command and Control (C&C) servers to receive and execute any of the following activities on an infected device:

nexusae

  • Call a phone number
  • Record Phone calls
  • Access/Delete Call Logs
  • Write and Send SMS messages
  • Intercept and Delete SMS messages
  • Access/Steal Contact Information
  • Obtain a list of installed applications
  • Open applications
  • Access device Camera
  • Take Pictures
  • Record Video
  • Record Audio
  • Upload files to C&C server
  • Open URL
  • Access/Steal Browser Bookmarks
  • Access/Steal/Delete specified files
  • Perform DDOS (HTTP Flood) attack
  • Change C&C server address
  • Update itself

Creating these powerful Trojans is child’s play with Dendroid. Cybercriminals can simply search through the Dendroid database of well know Android applications and select which APK (Android package file) they wish to trojanize. Then Dendroid does all the hard work for them and packages the malicious code to the selected application .

Using these Trojans a cybercriminal can very easily create their very own mobile botnet. Once a Dendroid Trojan app has been installed on any device the cybercriminal can log into the Dendroid software interface and access sensitive information and control a disturbing number of device functions.

dendroid.1.2014

One must admit, for crimeware Dendroid has a polished and professional user interface, and the software itself is alarmingly robust. Dendroid is careful to include code that is designed to evade security measures employed by Android application markets, including Google Play’s security system called Google Bouncer. Before applications are published on Google Play they are run on a virtual device known as an emulator to log activity and flag any malicious behavior. To evade such security measures Dendroid Trojans detect when they are being run on an emulator and will not execute any malicious code to avoid being flagged during review. This ability to publish Trojans on nearly all Android application markets makes this malware exceedingly dangerous.

Dendroid appears to have links to similar malware developed in Russia where this type of threat is more commonly seen. Armor for Android views this as evidence that more and more sophisticated malware developers are turning away from traditional desktop malware to target mobile devices (most commonly Android). Mobile malware is a growing threat and it is expected to rival desktop malware in numbers and complexity very soon.

Protecting you Android device and the sensitive information is important. Keep these tips in mind when using your android device to avoid falling victim to Android malware.

  • Install and use an Android antivirus application to detect and prevent a malware infection.
  • Always stay up to date with application, operating system, and antivirus updates. Updates often include patches to newly discovered security vulnerabilities and keep the device protected against the latest threats.
  • Read user reviews and research applications before installing. Review application developers’ websites and social media accounts to establish if the developer is trustworthy.
  • Trust your instincts. Don’t download anything that seems too good to be true. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA