Security

New Android malware should be wake-up call for security admins

Security firm Kaspersky reported on a new malware threat that it calls the most sophisticated it has seen in targeting Android phones.

IT pros in the enterprise rely on a wide array of tools needed to keep users secure: firewalls, intrusion detection systems, centralized software updates, anti-malware definition updates, policy statements, and so on. But when it comes to mobile security, quite often many businesses do not hold the same strict policies as they do for desktops, despite the clear evidences that smartphones are now just as powerful as a full computer, and bad guys are out there targeting them.

Just last week, security firm Kaspersky published a report about the most complex Android malware they have found so far. In many ways, it mimics what a modern desktop worm would have to do to infect computers. The first surprising finding is how many unknown vulnerabilities that this single malware was exploiting. Typically, most worms and viruses are created to exploit a single security hole. As soon as a Java or Flash exploit is found, for example, hackers go out and create code that can take advantage of it, and then try to get as many people as possible before a fix happens. But the serious desktop threats are those pieces of malware which are sophisticated enough to use many paths of entry, and complex enough to remain undetected via multiple means of stealth. This is what this particular malware is doing.

Backdoor intruder

Nicknamed Backdoor.AndroidOS.Obad.a, this malware used a hole in the code packing system to create an executable that should be found invalid, but still gets processed on an Android smartphone, by planting deliberate errors in the AndroidManifest file. Once there, it can get elevated to the Device Administrator status, but using a security hole in Android, it will not get listed in the apps listing, making it impossible to remove. And the complexity doesn't stop there. The malware uses a lot of encryption to keep all of its variable names secret, and it will go out through a network connection, downloading a part of the Facebook home page, and use that as its encryption key, to ensure it is truly online and able to connect to its control servers.

Once it has set itself deep in your phone, it starts receiving commands from the command and control system to update itself, download more malware, and start sending expensive SMS messages to foreign numbers. All of this means that it was hard to find, hard to analyze, and could be modified on the fly to thwart attempts to remove it. In this particular case, right now the infection rate is still very low, with most victims being in Russia. Mobile antivirus software are also being modified to detect it. But the fact remains that this sort of complex malware was not seen before on mobile phones, only on desktops. It proves that smartphones have become a big enough target for even the most sophisticated criminals to go after them.

Be more aggressive on the mobile front

The problem with all of this is that according to a recent report, 63% of businesses do not manage corporate information on devices. With the latest BYOD trend, people are being allowed to bring their own devices, which may be compromised, into the office without any check or balance. 67% of respondents say that employees have personal devices at work that connect to their corporate networks, and 79% said they have had some type of mobile security incident in the past.

Fortunately, the lessons of the desktop have been learned by modern mobile platforms. All of the popular devices including iOS, Windows Phone, BlackBerry, and Android have a much higher security threshold from the get go. Apps are sandboxed against each other, the user does not run with administrator privilege by default, and a centralized store system means that apps can be killed remotely, and devices wiped. Still, what else can you do as an IT pro to make sure your employees' devices are safe? First, make sure you have some kind of centralized management. You can use Microsoft ActiveSync to control what goes on these devices, and there are many popular third party tools like Citix's XenMobile.

Using these tools, you can ensure encryption is used, you can control which apps your employees can download and use, and you can block rooted or jailbroken devices from infecting your network. You can also use one of the many anti-malware solutions available on the various app stores, and just recently Malwarebytes said they would be releasing an Android version of their popular software by the end of the year. Overall, the security situation for mobile devices is much better than it is on the desktop, but that doesn't mean you should leave yourself completely open to problems, and just as desktop malware evolved into more and more sophisticated threats, mobile malware is sure to go the same way.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

11 comments
GSG
GSG

I read the report from Kaspersky, and here's what they say about removing it: "By exploiting this vulnerability, malicious applications can enjoy extended Device Administrator privileges without appearing on the list of applications which have such privileges. As a result of this, it is impossible to delete the malicious program from the smartphone after it gains extended privileges." Wonder if a factory reset will be required. In the comments from the Kaspersky report, others asked how you get it and one of the Kaspersky people commented with this: "How - mostly by SMS spam When - May 2013 Where - mostly in Russia, but it was in other countries too" So, you get it by doing the very thing we're always warned against... Don't click on unknown links, especially from unknown sources, whether email, SMS, Facebook, whatever.

malcolmcd
malcolmcd

Journalists at Tech Republic and it's sister publications seem unwilling or unable to question security firms press releases about Android malware. Yes there is malware that targets the Android OS and it needs to be reported not least because reporting it will keep up pressure on Google, Samsung, HTC, etc al, to do more to defend against it. However for an article to be interesting and relevant to your readers, as well as reporting the malware, it needs to inform about the level of risk to the average user. Most malware is not a risk to the majority of Tech republic readers who only use Google Play to load apps on to their phone. Most articles do not mention whether there are reported cases on Google Play. To be fair this article did say most cases reported have been found in Russia, where many users do not exclusively use Google Play. From that we may infer that this particular malware has not infected any Apps on Google Play. That's more information than most articles report but does not go far enough. What I (and I suspect the majority of your readers) want from Tech journalists is relevant information like "what is the risk if I just use established app stores?". Unfortunately that will require a bit of research not simply repeating the information that a security firm's sales pitches pump out. They want to sell their product so have no interest in being balanced, as journalists you should...

chaos213
chaos213

Ther are positive reasons to employ BYOOD. I have techs come to my house that are getting paid just over minimum wage and use their own cells to call their base for activations or information. The companies they work for have a need to communicate with their field techs and have found a way to save money with BYOD. The techs either just accept the usage, prefer using a device of their choosing or both. I imagine there are numerous other examples where BYOD is an advantage. However there are downsides to BYOD, such as security issues or time wastes that may make you consider a no BYOD policy. When I hire summer helpers, usually 7th or 8th grade age guys that want to earn some money, if I see them chatting on their cells instead of mowing, weed wacking or whatever chore they are assigned I have them to shut off their phones or ignore the calls until they are on one of their hourly breaks. A local school suggests students to me. I contact them and their parents. If both are interested I start them at $8 and hour with breaks each hour. I provide a snack every 2 hours and usually a burger of other sandwich fast food if they work 4 hours or more. I expect they will where the safety gear I give them, work hard and stay focused on what they are doing. The work is not mentally demanding but safety can be an issue if they zone out. I increase the yard helpers to $10 an hour the second year if they work out and want to come back. It's a great system, frees up time for me and provides an age demographic an ability to earn a bit of cash and learn a good work ethic. The bottom line is no BYOD usage, except music head phones, during work time. I am retired now but when I use to work every place I worked had a no personal phone call policy. There is still a need for that approach at times and BYOD often runs counter to the notion.

henry_chaney
henry_chaney

I'm with slayer_ - does anyone know how to stop it and/or detect and remove it?

mjc5
mjc5

If IT people think that users are going to put up with the IT department controlling their phone completely, as this indicates a need for, then BYOD is dead. Then they can buy all my devices for me. And they can have just as much control as they like. SO IT departments need to make up a business plan for all the new equipment they are going to buy.

Slayer_
Slayer_

So we know how to avoid it. Or was it there and I didn't see it?

philswift
philswift

BYOD needs banning by Government. It is a propaganda trend started by the US to facilitate data mining due to decreased security. Any collaboration leverage is crushed by a massive increase is risk of data not being retained, a corruption of data and data theft. We need to protect our Data Borders just as we protect out Geographical Borders. 'If it ain't on the hardware white-list, it ain't coming in'