The Day After the Year in Mobile Malware?

2011 has seen some dramatic changes in the mobile landscape, with the ever-increasing growth rates in consumer adoption of smart phones. This has not gone on without getting the attention of the criminal fraternity, which has turned its attention to mobile malware. But what remains to be seen is if this trend moves beyond the stage of testing the waters to actually making a significant impact, reaching the scales we associate with threats for Windows. If the activities of the past week are any indicator, then 2012 is off to an interesting start. Another scam has come to our attention, this time targeting Android users in France, attempting to exploit the frenzy surrounding Carrier IQ.

From our analysis, Android.Qicsomos is a modified version of an open source project meant to detect Carrier IQ on a device, with additional code to dial a premium SMS number. On installation, the app appears in the device menu with an icon similar to the logo of a major European telecom operator. It is this fact, not to mention we cannot find any trace of this on the Android Market, that leads us to believe that there may be a social engineering vector being used to spread the malware, such as a spam or phishing campaign pretending to be from an official carrier asking the users to download and run the software.

The malicious code goes to work when the user presses the button marked ‘Désinstaller’ from within the app. Once pressed, four SMS messages are sent to 81168—a premium-rate number. The Trojan follows up by executing an uninstall routine to remove the app.

A safe removal method would be uninstalling the app from the setting button in the main menu.

In an additional twist, it appears the apps were signed with a certificate published as part of the Android Open Source Project (AOSP). The signing of an app with a publicly known certificate would allow an installation without having to go through the regular permissions notification screen on devices built with those keys. This shouldn't affect commercial devices used by most consumers (where the keys are kept private by the manufacturer), but might trick certain older, custom mods which reused these published keys.

With all the bold predications being made about the state of the mobile threat landscape in 2012, one can be forgiven for being little skeptical about their significance. But to any skeptics out there, I can assure you some concerns, such as this threat, are not without merit.

Hardware Fragmentation Thwarts Android Call-Recording Trojan

Threats making or transmitting unauthorized audio recordings are not a new concept, though they have largely been limited to proof-of-concept demonstrations and final-year university projects. This is a vector that generates a lot of intrigue from researchers, as it pertains to many facets in security, such as data loss prevention and mobile threats, not to mention the changing face of the threat landscape. It is also something we have blogged about previously. Thus, when we received several inquiries about an Android threat we discovered over a week ago, and its ability to upload recorded voice conversations to a remote sever, I decided to take a second look at the threat Android.Nickispy.

This app was available on multiple sites in China, where it has been promoted as a solution for concerned users to confirm suspicions of infidelity by tracking a significant other’s calls and whereabouts. The author had clearly stated the purpose, so anyone installing this app could not be mistaken in its intentions. Now, that’s not to say someone couldn’t install it on another person’s phone. Still, on completion of installation, the app actually shows up with an icon marked Speech Recorder, clearly visible to the user.

Despite the fact there have been multiple reports of the app uploading the recorded voice conversations to a remote sever, our analysis has found no such functionality. It can record calls; however, physical access to the device is required in order to retrieve them. Still, the app does have the ability to send data such as the GPS location and call and SMS logs to another remote server hosted by the creator of this app. For the “suspicious husband or wife” to obtain this tracking data, they then have to pay the app’s author to obtain it.

If there was ever a reason to be grateful about the so-called “hardware fragmentation” issue surrounding Android devices, this is it. Due to the fact that not all Android hardware works the same way, we have found that if used on a real phone, as opposed to an emulator, the results can be quite different. After testing with several mobile phones in our lab, the majority of the devices we used resulted in the app crashing and abruptly ending the call. We only found one device that ran the threat successfully.

In an interesting twist, we were able to track down info about the creator of this app as a result of the continuous crashes. By doing an online search on the crash details in the accompanying error logs, we found a posted crash dump of the exact same issue on an Android developer forum, in which a developer was asking for urgent help with the code he or she was working on. A closer look at details of the posted crash dump showed that it had the same package name used in the threat. Still, it doesn’t look like they got all the bugs out since last year (posted July 15, 2010), because it’s still crashing most of the time on a real phone.

While I believe threats that attempt to make or transmit unauthorized recordings should be taken seriously, given the ubiquitous nature of smartphones, this isn’t necessarily one of those cases. Beyond the usual blog recommendations where we suggest best practices for security and updating definitions, I offer the following suggestion: if you find yourself to be in need of such an application, take the direct route and talk to your significant other instead.

Android Threat Trend Shows That Criminals are Thinking Outside the Box

A quick online search would reveal a number of articles declaring any one of the last few years as being the “year of mobile malware.” Conversely, these searches also reveal claims that the same years are not going to be the year of mobile malware. These search results go back as far as the early part of the decade. The contradictory nature of these bold predictive headlines could be explained by the fact that the articles are typically written at the beginning of each year—and who knows what the year may hold at the outset?

But, if the criteria to qualify 2011 as the real "year of mobile malware" was to be challenged, then surely the events of the past few weeks alone should be enough to justify the fact that this year truly has seen considerable seismic activity that has shifted the tectonic plates of the mobile threat landscape.
 
 types and targets
Figure 1 - Mobile malware, 2011: types and targets
 
The message that is coming through loud and clear is that the creators of these threats are getting more strategic and bolder in their efforts. We are seeing increased attempts to complicate the infection vectors of mobile malware to the point where a simple uninstall is insufficient.
 
Multiple payloads
 
One such strategy is to separate the malicious package into staged payloads. The idea is simple: instead of having one payload that carries all of the malicious code for any given attack, break the threat into separate modules that can be delivered independently. There are several advantages to deploying the threat in this way. First, it obviates the tell-tale sign of a huge, overzealous permissions list accompanying the installation of the threat, which may alarm the user as to the intention of the malicious app. Secondly, smaller pieces are easier to hide and inject into other apps. Furthermore, dispersing the attack across separate apps complicates the integrated revocation processes from the service provider, marketplace, etc. 
 
Dispersed payload process of mobile threat
Figure 2 - Dispersed payload process of mobile threat
 
A textbook example of this is the newly discovered variant of Android.Lightdd. Apart from a few minor variations, such as the service name running in the background now being called “Game Services” and the three new domain names that it attempts to connect to, everything else remains the same as the previous samples discovered last month. This includes the encryption routine and the keys used to hide data within the threat.
 
Data-gathering process of Android.Lightdd
Figure 3 - Data-gathering process of Android.Lightdd
 
This threat is the first stage in a multi-payload delivery system, responsible for reconnaissance and intelligence gathering (model, language, country, IMEI, IMSI, OS version) on the compromised device, which precedes the downloading of additional payloads. 
 
 "Game Services" running in Android.Lightdd
Figure 4 -  "Game Services" running in Android.Lightdd
 
An interesting fact is that the threat was capable of downloading additional components and updates through official channels of distribution as well as Internet/direct downloads. At the time of writing, all of the hosts associated with the threat are offline.
 
 
Example of additional components and updates through official channels of distribution
Figure 5 - Example of additional components and updates through official channels of distribution
 
 
Overcoming the user acceptance hurdle
 
As with its previous variant, Android.Lightdd still requires the user to accept the installation of any download—a major obstacle in this model of delivering a payload. However, another threat also discovered in the wild, Android.Jsmshider, has found a way to overcome this obstacle.
 
By signing the payload with an Android Open Source Project (AOSP) certificate, the threat was capable of performing further downloads without any interactions or prompts, as the underlying device considered the payload to be a system update by virtue of the accompanying certificate. At this point, however, this deception only works for custom modifications.
 
Example of Android.Jsmshider exploiting Android Open Source Project certificate
Figure 6 - Example of Android.Jsmshider exploiting Android Open Source Project certificate
 
Given the relatively elaborate installation of this threat, you would think that the final payload being deployed would rival something akin to the Stuxnet worm, but in fact, the final payload in the majority of cases was nothing more than a garden-variety premium SMS sender. Premium SMS senders and/or dialers don’t get a lot of respect from antivirus researchers, mainly because they lack sophistication and, just like those emails that we all get from a distant contact promising us a cut in the deal of a lifetime, depend largely on social engineering for a payoff. But, they have been around for ages and, as far as mobile threats go, have the quickest ROI for their authors. 
 
There is plenty of research demonstrating that the average price of a stolen credit card (due to competition and market forces, etc.) has dropped to as low as $0.40 – $0.80 (USD) per unit. In contrast, the latest dialer to be discovered that was targeting North America would pay the author $9.99 per successful install and execution. Furthermore, if the threat is not detected by the user, each subsequent execution would result in a continuous revenue stream—until the owner of the device saw his or her next phone bill, that is.
 
Another interesting trend that Symantec has observed is the use of in-app features that facilitate the promotion and/or download of other apps. In some cases, we have seen this implemented as full-fledged browsing access to another third-party app store that has been embedded as undocumented functionality of the original app that the user has downloaded from the official marketplace—without any indication that the victim is downloading or browsing apps from another website or store.
 
Example of in-app features that facilitate the promotion and/or download of other apps
Figure 7 - In-app features that facilitate the promotion and/or download of other apps
 
Even though user interaction is required to install additional apps, there is a concern that this vector has an element of social engineering, whereby the user assumes that, since the first app was downloaded through an official channel, any additional apps must also be originating from there, too. Since there is no indication to the user that he or she is downloading from a third-party site, an element of trust might be established with this particular vector.
 
All things considered, the real question that comes to mind is: if this truly is the “year of mobile malware,” where do we go from here?

What Does the Consumerization of IT Mean to You? (An End-User Survey on Personal and Business Smartphone Trends)

More than ever before, smartphones are keeping us connected both personally and professionally. Because most of us have a preference as to the ideal smartphone, IT departments are increasingly being tasked with managing a mix of business-liable and employee-liable devices. This trend has become known as the consumerization of IT.

Symantec has developed a short survey to get smartphone end users’ perspectives on this trend. We’d also like to learn more about how your employer is managing the growing use of smartphones, especially those being purchased and brought into the organization by employees. The quick five minute survey can be found here: http://bit.ly/gsdgmX

Once you’ve taken the survey, please stay tuned to the original post that resides in the Security Community Blog. We’ll be sharing the results once the survey is complete.