Mar 1, 2011

Evolution of malware in Android devices

For months it has been possible to observe how the development of malware has undergone a considerable increase for devices based on the operating system developed by Google. Fruit of it is to a large extent slackness on the part of the user in security subjects and the increasing triumph in the use of this new platform.
It is an unquestionable fact that every time the daily tasks that we realised from our personal equipment are relegated to background thanks to the comfort and the comfort that produces to us to have a device of similar capacities and that we pruned to carry to any site.
To this we must add to him that the border that divides the personal use of the corporative use or is defined and therefore its use can adopt new functionalities like the access to a VPN of the company, administer the mail or handle banking subjects to put individual examples. It is time question that we finish having the same functionality of an equipment in ours smartphone, something easier now with the arrival of tablets.
This is something than the developers of malware they are quite conscious and that evidently they do not let pass through stop, proof of it is the frequency to which new attacks are following one another, more and more effective and made.
The objective of this entrance, is to pick up as a summary the evolution that has been developed months in the last related to malicious applications for Android systems.
APT Snake

It was the first case of malware gathered by the company/signature Symantec anti-virus. Propagated through market like legitimate application, it was a substitute of the well-known game for moving bodies “Snake”.

Between its permissions we found:
  • android.permission.ACCESS_COARSE_LOCATION
  • android.permission.ACCESS_FINE_LOCATION
Ordered to accede to the location of the device through WiFi or GPS. Something totally unnecessary for the application.
The objective of the same was to declare a called service “SnakeService” that settled in the device and it was initialized in each resumption of the terminal. Remaining his execution in background, it disabled to leave the application, of this form it successfully obtained the exact information of our position and informed into the same to the servant in intervals of fifteen minutes or after realising a change of location.

Later these data could recover and be collated with the coordinates of Google Maps to geolocalizar to the objective through application “GPS Spy” developed by the same company.
Fake Player

This new malware detected by Dr. Web constituted the first real case that it affected of way

significant to the users of Android devices. The first specimen in August of year was received the past.

In this case one used as the premise to be a reproductive multimedia whose functionality never would be present in the code.
Between its permissions we found:
  • android.permission.SEND_SMS
Having like objective the shipment of messages SMS to special numbers of pricing with
cost approximated among four and six dollars each. Although these turned out to come from Kazajistán (3353 and 3354), they seemed not to affect countries that did not have relation with the supplier of the service (Dalacom, Kcell, Mobile Telecom Service), this fact together with the message in Russian that it sent associated, it to Russia like origin country. And therefore it confirmed the fact of not affecting the rest of countries.
Like “APT Snake” distributed by market official of Google like a legitimate application, once its assignment was discovered was retired of the same. It is the first application that has certainty that tries to profit from illegal form at the cost of the user.

Analyzed here in a previous entrance, it supposed a change of schemes with respect to malware appeared until the moment. Originating Chinese, they used as legitimate applications to distribute them by markets Chinese illegal, infecting the code and empacando apk again.
For it the main applications were chosen that had major success between the users: MonkeyJump2, Angry IBRDs, City Defense, and Baseball Superstarts 2010 among others.
Between its permissions we emphasized:
  • android.pemission.CALL_PHONE
  • android.permission.SEND_SMS
  • android.permission.READ_CONTACTS
  • android.permission.WRITE_SMS
  • android.permission.RECEIVE_SMS
Geinimi was first in applying code confusion and using algorithm DES to base the communications with the servant previously, adding a layer of complexity nonseen. Another one of its characteristic era to mount socket TCP in ports 5432, 4501 or 6543, used to receive the messages and to update the version of malware in case there was a superior.
Also it sent deprived information to a series of directions Web being later in a state of stand-by in the hope of receiving orders. This demonstrated that we were before the first case of malware that it transformed our device into bot. Altogether they were gotten to count near a twenty of commandos.

Last malware appeared, in this occasion repeated the same landlord of infection that
Geinimi, using legitimate applications of third parties to infect its code and to distribute themselves by markets of doubtful reputation. Applications as RoboDefense and some wallpapers were the chosen ones.
In this occasion it asked for the following permissions:
  • android.permission.WRITE_APN_SETTINGS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.READ_PHONE_STATE
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.INTERNET
  • android.permission.MODIFY_PHONE_STATE
Once the telephone was initiate sent information deprived like the IMEI and the IMSI to a remote servant, to which it responded sending a set of directions coming from a motor search and a set of key words to use simulating them processes later search of innocuous form to the user and to be able to take to the results to the first position emulating clicks in the wished results.
As it happened to Geinimi, one of its functionalities was the possibility of unloading a called APK “myupdate.apk” to update the version of malware to most recent. Besides controlling at any moment the type of network that we used on the telephone and informing into it to the servant.
It was ended up associating his origin with China, because it used original networks of there like “cmnet”, “cmwap” (China Mobile Net),uniwap” and “uninet” (China Unicom).
Hardening Android

As always the final responsibility falls into the hands of the user, it is the one who has the decision of what applications to install or not in his device. But… Really exists the possibility of being safe from any threat?
Independent of the solutions anti-virus that so fashionable are putting days in the last, there is a series of advice who probably help to prevent any center with infection:
  • Unloading only applications of reliable sources as officials can be markets, and remembers to review the descriptions, commentaries and rating with which are described by the users.
  • It always reviews the permissions that an application asks for to be installed. The USA the sense common to relate that the permissions are comparable to the functionality of the same.
  • It watches any rare behavior that it can make your telephone, like unusual activities in the connections, calls to unknown numbers or shipment of messages SMS.
Companies like Aegis, Symantec, Lookout, have removed applications destined to fight malware in smartphones, besides including extra functionalities like the accomplishment of backups, applying rules as the blockade of calls to numbers, possibility of finding devices lost, etc.

With regard to my personal opinion, I believe that a brought back to consciousness good user is more than sufficient out of danger to maintain his telephone, and that really the solutions anti-virus that is offered to us are prepared to fight malware like so. I doubt sincerely that it is applied true heuristic and infection patrons look for. I see rather it like the opportunity sell a product with additional functionalities.

It is evident that it has been added to greater complexity and functionality, each new specimen of malware that appears takes advantage the used thing by the previous one and includes new functionalities that add a layer of greater complexity.
If to all this we added the security failures to him that have been followed one another, we can obtain a worthy combination of feast.
Right now there is a barrier that avoids the installation of malware without any risk and are the permissions. So that an application is installed, a user must give his consent. But… It is possible to avoid them?
At first no, these must be declared in the AndroidManifest.xml and some is no form to add or to retire a permission by means of programming techniques. But the equipment of investigation of Lookout makes a pair of months discovered a security failure that allowed to realise TapJacking (similar to clickjacking).

No comments: