“We Must Protect Mobile Devices”
by Tom Malatesta
COO, Ziklag Systems (http://www.ziklagsystems.com)
The great majority of mobile attacks, and their malware, stem from and attack third-party markets, particularly in China and Russia. In most cases, we do not find this malware in the official Android market.
Google’s app store has suffered from some incidents, but so far those counts are moderate. McAfee Labs advises customers to use “install software” only from the official market. That step should greatly reduce the risk of compromising your Android device.
This quarter we saw significant amounts of new adware and mobile backdoor malware, along with some very simple premium-rate SMS-sending malware.
Mobile adware displays ads on a victim’s phone without permission. (This does not include ad-supported games or apps.) Adware ranges from wallpaper with added sales pitches (Android/Nyearleaker.A) to fake versions of games that send visitors to advertising sites (Android/Steek.A). Adware doesn’t necessarily reduce users’ security, but it does subject them to unwanted ads.
Backdoor Trojans on Android have gotten a bit more sophisticated. Instead of performing just one action, they use root exploits and launch additional malware.
Android/FoncyDropper.A, for example, uses a root exploit to gain control of the phone and launch an IRC bot that receives commands from the attacker. It also sends premium-rate SMS messages based on the country of the SIM card.
In a similar vein, Android/Rootsmart.A uses a root exploit to download Android/DrdLive.A, a backdoor Trojan that sends premium-rate SMS messages and takes commands from a control server.
Android/Stiniter.A uses a root exploit to download additional malware and sends information from the phone to sites under the control of the attacker. It also sends text messages to premium-rate numbers. The attacker’s control server updates the message body and the number the hijacked phone sends to.
This quarter, malware writers created one of the first destructive Android Trojans, Android/Moghava.A. Instead of damaging apps or other executables this malware goes after photos. Moghava.A searches for photos stored on the SD card, and adds the image of the Ayatollah Khomeini to each picture. The malware is also a bit buggy, so it will continue to add to the pictures until there is no more space on the card.
The writing is clearly on the wall– We must protect all devices, mobile or otherwise, that have valuable data. If not, today’s cybercriminals will be happy to handle it for us.