Tablets

BYOD Android devices play an important role in enterprise security

Find out how Donovan Colbert used his TF300 Transformer tablet/convertible to safely manage a virus in his Windows shop.

Many IT professional have recently become acquainted with the W32.Changeup virus. It joins Win32.Funlove and W32.Klez as some of the most memorable viruses I've had the displeasure of dealing with in the last decade. However, I did manage to come away with a key benefit to allowing BYOD hardware in your corporate environment during this experience.

W32.Changeup is a very rapidly spreading virus that attacks Windows user shares, turning all folders at the root level into hidden files and creating executable payloads that have the same name as the shares and have icons that look like folders. When a user clicks on the executable that's disguised as a share, the virus infects their machine, doing the same thing to any attached USB drives or shared drives on the user machine.

As a Windows 32 shop, I generally keep at least one Linux box running somewhere. After a recent reorg and office move, my trusty old Linux box disappeared, and I hadn't gotten around to rebuilding a new one. Fortunately, I quickly realized I had a better solution available.

I tagged along with a desktop support agent as he responded to an infected client's machine. At this point, they had been running a scan from external USB to clean the virus. When we inserted a USB drive with the cleaning executable on it, the virus instantly infected the thumb drive.

Up until this point, we didn't have a contained copy of the virus. I quickly grabbed the thumb drive and took it back down to our lab and built isolated machines to test and document the behavior of the virus. The issue dragged on, and we struggled to contain the virus. Eventually, we worked with our AV vendor by sending a copy of the virus to determine why their .dats weren't detecting it -- and as suspected, our infection was an unknown variant. Supplied with copies of our virus, they were quickly able to develop a new .dat that detected and cleaned it, which was the tipping point for containing the outbreak.

My TF300 Transformer was instrumental in my ability to safely manage the virus on a non-Windows platform. I was able to insert the USB drive into the Transformer, copy the executables to the device, and with the aid of AndroZip File Manager, create an archive of the infected files for safely sending the examples via FTP to our AV vendor.

As an additional bonus, in ASTRO File Manager / Browser, the popular Android-based file explorer utility that supports SAMBA mapping, the technique of hiding the actual folders while creating executables with the same name was quickly exposed as well. Viewing the folder showed the hidden folders by default, and the disguised folders did not display windows icons --  instead of folders, they appeared as executables. During the virus response, my Windows laptop was disconnected from the corporate network the entire time, but I attached my Android convertible to the network without fear throughout the event.

Now granted, this isn't anything that you couldn't do on a Linux or Mac box, but for many Windows-only shops, especially with SMBs or consultants, there aren't many less expensive yet versatile ways to approach enterprise security roles and tasks on a Windows network with virtually no risk to your device. I think that this enterprise use for Android devices hasn't really received enough consideration.

Of course, this isn't the only situation where a non-Windows machine is useful. Users frequently forward me email that's clearly spam that contains attachments or links. I always do my due diligence and check out the headers and verify that the envelop has spoofed information, but it's helpful to look into it a little deeper and find out what the attachment is and where any links lead to.

There are various methods for getting spam email and attachments to your Android device, but frequently, I simply connect in Chrome mobile using Outlook Web Access. From there, I can examine the email and follow links or open attachments with higher confidence than doing so on my Windows machines. Executive staff is concerned about false positives, so this allows me to confirm, without a doubt, that a message is malicious, and then I can craft a more detailed alert email to our users describing the attack and its goals. I'm also able to securely determine IP addresses or ranges that should be blocked at the firewall and in Exchange, plus send detailed abuse reports to the ISPs where compromised servers reside.

A full-featured Android tablet can be an indispensable part of an IT pro's toolbox, once you start thinking outside of the box and realize it can do more than serve up Facebook and Angry Birds apps. Are you using your mobile device in any creative ways to achieve enterprise goals in your shop? Share your experiences in the discussion thread below.

Also read

TechRepublic and ZDNet delve deeper into this topic in a special report page: BYOD and the Consumerization of IT.

About

Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his profession...

8 comments
dcolbert
dcolbert

https://www.google.com/#hl=en&safe=active&tbo=d&sclient=psy-ab&q=web+based+android+attacks&oq=web+based+android+attacks&gs_l=hp.3...1155.7563.0.8002.27.25.1.0.0.0.368.3862.0j23j1j1.25.0.les%3Bernk_timediscountb..0.0...1.1.2.hp.vMNW3eLxHyU&pbx=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&bvm=bv.42261806,d.aWc&fp=cecfd734039d8d45&biw=1366&bih=643 Most articles about Android web based attacks are around November 2010 and focus on *some* versions of Android 2.1. I can't find anything more recent. The few articles with any details about actual Android Malware describe downloading specific Android apps from non-Google Play sites, installing them *and* accepting outrageously broad permissions terms during the software installation. And that is the thing - I haven't heard of a single Android drive-by infection that doesn't require *tricking* an end user into enabling the "malware" by installing it themselves and accepting the permissions that allow it to do bad things. That makes Android malware uniquely different than Windows malware - which can install and take control of your machine without any user interaction whatsoever. That is - reports about pervasive Android malware are mostly FUD. People who don't know what they're doing who click on anything and accept permissions rights that make no sense are the ones getting infected by Android malware.

frylock
frylock

Android malware is on the rise, I wouldn't be so quick to assume those links are safe on an Android device. I'd rather use a laptop/PC with an expendable OS (of any flavor) running in a VM. Not as convenient as a tablet, but security seldom is.

HAL 9000
HAL 9000

Just how many Droids are actually infected with this crap? Remember the average user doesn't know what it is that they are doing when they load an App that they think they want. ;) Col

dcolbert
dcolbert

Is - at this point, limited to apps you download and give permissions and which abuse those permissions. There is a huge disconnect in understanding what Android malware is and isn't, and I really blame this on the blogging press and rabid Apple fanaticism. If it were simply a case of drive-by delivery of native executables or browser security exploits, then *any* platform would be susceptible to links to malware sites, including iOS, OSX and Linux. But the fact is that we haven't seen any examples of viruses, trojans or malware targeting native execution on any of those platforms, nor on Android. While it might be theoretically possible - there wouldn't be a lot of payoff in designing a native code web-link delivered executable to these platforms. You've got to understand - generally there are two ways that a Windows infection was placed onto a machine through e-mail. Either an attachment in a zip file contained executable code that ran in native IA86 Windows code, and the e-mail tried to get you to click that code... Or... There would be a link in an html attachment or in the body of the email itself that would redirect you to a site that would try to place a malware payload on your system. (This is generally described as a drive-by infection in security circles). In order to get that code to execute automatically, the website would traditionally try a buffer-overrun exploit, which would simply flood the buffer. The "overflow" would then actually execute as a command line execution, running the program, frequently with escalation of privilege so that the code would run with administrator rights. When you think of Malware you can pick up by visiting a site, this is what you're thinking about, and it is a phenomenon solely isolated to Windows machines. Now, hackers have actively exploited these same techniques against OS X, but those were active attacks, not passive scripted payload deliveries. As far as I know, there is no record of an attack like this ever being launched against any platform except Windows. Android malware is a whole different beast. Android Malware is when you purposefully accept a download or sideload an .apk that claims it is one thing, but is actually harvesting data like passwords and user accounts or other information passing through your Android device and sending them to the author. They're two totally different things, the kind of Malware that an e-mail attachment will direct you toward and what tech journalists call "Android Malware". A VM is not a sandbox that guarantees a virus won't skip from the VM onto the bare-metal or onto your network, either. In fact, if you've got shares mapped or you've bridged your VM network to your physical network, the chance of spread is quite likely. Unless you have a share mapped directly from a tablet to your network, the odds of a virus infecting your tablet and then spreading to your network or other devices is far more remote. In all cases, though, your expertise and comfort with dealing with and containing viruses or malware is the most important criteria. If you're not sure what you're doing, you can create more problems than you solve.

dcolbert
dcolbert

How is that relevant to the point the original poster was making - that following an e-mail link to confirm a website could endanger your Android device when the destination Malware would either require you to click on something or be Windows oriented (and would likely be both)? I'm assuming any IT professional with an Android tablet who is following up on a user's e-mail to confirm it is legitimate should know what they're doing. :) I saw an article on CNN today that claimed that porn sites are infecting phones with Malware and this is the majority growth vector for malware infections. They didn't say which phones or how or what the malware is. I'd like to see some real documentation on what these infections are and how they're getting on smartphones.

dcolbert
dcolbert

http://m.nbcnews.com/technology/technolog/first-known-android-drive-download-found-749499 If you read that article, the offending site still needs to trick you into side-loading a non-market app and accepting the list of permissions before the "drive-by" payload can be activated on your Android device. There simply are *no* recorded cases of Malware being deployed to an Android device without the interaction of the end user - and I'm assuming if you're using an Android device to check out a link in an e-mail that you are suspicious of and you are technically competent, you're *not* going to click on a pop-up request on such a site that says, "in order to display this site, you need to download and install this important Android security patch," when you're already on your guard. Now - recently both Microsoft and Apple were hit by a Java exploit. This exploit doesn't compromise Windows or OS X, it exploits a flaw in Java. The solution is to disable Java in your browsers. I've wondered if the heavily borrowed code-base of Dalvik, based on the Java SDK, might be susceptible to the same exploits - but there is no confirmation of that at this point - and it seems to me that any malware that was hosted on a web-site would have to be able to launch native Dalvik Java through Java routines in the browser in order to successfully compromise an Android device. No platform is 100% secure. But prudent paranoia is different than fear based on misinformation.

HAL 9000
HAL 9000

Is that with the Elevated Privileges that some of the Droid Malware has access to that it can be used to spread infections to Windows Systems. It's the reason why when I use any Tool like that I don't install anything to it I leave it in the Bare Delivered Form so it doesn't do more Harm then Good. ;) Maybe I'm just Paranoid but it works for me. I do however tell everyone that I'm Lazy and don't like creating more work for myself than necessary. :D Col

frylock
frylock

that simply clicking on a link can't infect an Android device. Maybe it can't, but I personally am uncomfortable assuming so. And I saw that article as well, which does worry me. For one thing, you can't always tell a link goes to a porn site until you actually go to the site. And if I recall correctly, that article stated that 20% of malware is coming from porn sites, which implies to me that 80% comes from non-porn sites.