Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Alice Decker (Senior Threat Researcher)

    It has become an inevitable part of the Android user experience that apps will ask for a long laundry list of permissions. Many apps will ask you to grant them network access so they can download updates. Others seek permission to read your phone’s state and identity so calls won’t disrupt them from doing what they’re doing. Unfortunately, these permissions can be abused for criminal intentions.

    Rise of Aggresive Mobile Adware

    Aside from apps abusing user’s permission, we noted a significant rise in the number of aggressive mobile adware, as reported in our 3Q Threat Roundup Android Under Siege: Popularity Comes at a Price. Trend Micro consider these adware as “high risk”, as they pose serious threat to user’s privacy and serve as effective means to collect data, which can be used for suspicious purposes.

    Recently, I was testing Android apps from Google Play and after after a simple typo, I carelessly downloaded a Flash player app. Fortunately, the installed Trend Micro Mobile Security app notified me of a dangerous app.

    Read the rest of this entry »

    Posted in Mobile | 1 TrackBack »

    Living in Europe, I noticed the general interest of the media, politicians, and users about privacy and potential data leakage. This concern is surely not limited to Europeans — people from around the globe and governments are also interested on how to protect the sensitive data stored on mobile devices.

    With this in mind, I recently checked a study on the Top 25 Free Apps used by German Android users. I researched and found out that 60% of these apps have the potential to put users’ data at risk.

    I focused my research on popular apps in Germany because I am aware of how sensitive Germans are on their mobile data protection and privacy. The Federation of German Consumer Associations, in particular, monitors potential privacy issues in the country. The group has already taken actions against several corporations that threaten to violate German privacy laws and consumer rights.

    I was curious to see which of the popular apps cited in the article request for information, and was also looking forward in using Trend Micro’s latest Android security product, Trend Micro Mobile Security for Android to check on these apps.

    Upon checking, I found that among the top 5, only Facebook and Adobe Flash Player 11 were found to ask for less mobile data and consume less resource (e.g. battery life and memory consumption). I checked further and found out that the possible exposed data includes location (34%), International Mobile Equipment Identity (IMEI) (27%) and database like address book (21%). The apps that provide more information (or “chatty”) include the hit mobile game Angry Birds. The classic AngryBirds and AngryBirds Rio have access to data that include IMEI, International Mobile Subscriber Identity (IMSI), location, incoming data and databases.

    Aside from gaming apps, it is interesting to note that apps such as Skype and Google+ consume the most battery life even when they are just open and idle.

    The fact that mobile apps disclose information may not sit well with certain users. To some, giving access to IMEI and other data may constitute a data leakage. Others may consider this as harmless and part of installing a mobile app.

    Unwanted mobile data disclosure, however, is a real threat that we are only too familiar with. Previously, we have found several instances of Trojanized versions of popular apps that send recorded and other mobile data to a command center without the user’s knowledge. In turn, the stolen information can be used in other cybercriminal schemes.

    Trend Micro Mobile App Reputation

    I was able to generate these data using Mobile App Reputation, which is featured on the recently released Trend Micro Mobile Security on Google Play. This new cloud service receives and analyses several functions of APK packages, which can negatively influence a device’s performance and data security. These functions may include, but not limited to the following: dangerous use of API calls, specific data leakage, battery consumption, unwanted permissions, and developer information. It also checks and builds up the reputation of the mobile app and its developer(s).

    The rule of thumb is to be discerning of an app’s requested permissions and access to the device’s data. Read more about mobile apps and what kind of permissions these require. If it asks for permissions beyond its function, think twice before installing the app.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Mobile | Comments Off on Do You Know What Data Your Mobile App Discloses?

    Earlier this month, the Anti-Malware Testing Standards Organization (AMTSO) published new guidelines on the delicate topic of testing anti-malware products. Since then, many experts in the anti-malware industry have been commenting on the said guidelines. Many of these comments (including some from myself), have been summed up by tech blogger Kevin Townsend here.

    After reading the article, you will appreciate that everyone has the right to express different points of view. However, we all came to the same conclusion—measurement and comparison are indispensable and essential in guiding competition. Competition in the anti-malware industry is truly ethical and based on conducting research on and mapping out user needs and requirements. Only with these in hand can we offer customers the most effective solutions to solve their problems.

    All industries undergo testing and benchmarking to gauge how much their products have improved over previous versions, and how they compare to the competition. Without testing, improvements or innovation will not be possible, as nobody will see the need to change the way things are done.

    The AMTSO has published two new documents—the “Performance Testing Guidelines” and the “Whole Product Protection Testing Guidelines.”

    Trend Micro particularly approves of the latter. As early as 2004 or 2005, our researchers had recognized that the detection rate on a static collection of files could no longer be considered a viable benchmark. At the same time, improving file scanning would not solve the new generation of malware threats.

    That has since proven to be true. Malware threats change and evolve so quickly that everyone is forced to admit that waiting for new patterns is no longer good enough. File scanning became only part of a greater whole, a module of a greater threat protection concept.

    Since threat protection is a concept expressed in a program suite, it is only fair to test the whole product, not independent parts of it. For some environments, it may be important to figure out how effectively each module works (e.g., intrusion detection, file scanning, email scanning, anti-phishing, etc.). For end users, however, what matters is that the threat is stopped preferably before it arrives on any of their devices.

    Testing bodies (individuals and companies alike) saw that change was needed. In 2007, they started to discuss (at AVAR where Andreas Marx presented) and develop new concepts and methodologies for whole-product testing.  Some of the pioneers in this area were NSS Labs and Dennis Technology Labs. Back in 2009, both showed the first results of new approaches that focused on how whole product testing can be conducted.

    Whenever you see a new set of anti-malware software testing results, keep the methodology used in mind. See if you can identify any of the top ten testing mistakes frequently made by testers and prepare to question the conclusions in the report.

    Posted in Bad Sites | Comments Off on What the New AMTSO Guidelines Mean for Users

    Some time ago (February 25–26), the Anti-Malware Testing Standard Organization (AMTSO) had its first meeting this year. This time, it was hosted by McAfee and took place in Santa Clara, California.

    One of the hot topics during the meeting was related to the initiative to review reports published by testing and certification organizations/companies.

    How was this process designed? The Review Analysis Board (RAB) of the AMTSO receives initial requests, makes a decision to conduct a review, and coordinates the work of the Review Analysis Committee (RAC). The RAC comprises volunteer members that analyze reports against the organization’s existing nine principles. The AMTSO’s principles were agreed upon by its members—testers and antivirus vendors—and supported by the AMTSO’s academic advisors. The testing principles mainly refer to how published reports could be presented to their audiences.

    The review process does not, however, intend to prove if the right things were done but rather to review whether the things done were done right.

    As such, as long as a test report included an accurate description of how threat samples were gathered and validated, how tests were conducted, and how conclusions were made (including correct and fair communication among all parties involved in the testing), then the report may be deemed compliant with the AMTSO’s testing principles. The actual testing methodology used by a testing lab was not, itself, the subject of the review.

    Take, for instance, a highly innovative test like the one conducted by NSS Labs last year. This was reviewed based on how well the testing methods and conditions were described and whether the conclusions did follow the test results, regardless of the way the test was designed and its methodology.

    The AMTSO’s reviews neither intend to promote nor constrain innovation in anti-malware product testing methodology but to improve output quality.


    DefCon in Las Vegas is probably the biggest event hackers and even non hackers have been waiting for. Although there were fewer people in this year’s DefCon (around 6,000, my estimate), the presentations, contests, and parties still raked in a huge number of attendees.

    The DefCon attendees believe that cybercriminals will likely be doing more of the same in the near future. Some techniques highlighted were:

    • That Internet browsers will continue to be the easiest platform to exploit, regardless of which browser a user uses. Cross-site scripting (XSS) and cross-site request forgery (CSRF) will continue to makes hackers’ lives easier. In the same context, I got an insight into anonymous browsing tunneled over XSS (XAB) wherein one or many Web browsers can be used for traceless data transfer. In the future, encryption and possible computer chaining were predicted for XAB.
    • The use of Metasploit as a software as a service (SaaS) was dubbed a good practice. We are, in fact, seeing a trend (with Zeus and Ilomo) that malware can be updated via the Internet. I found it amazing that a lawyer talked about hackerspaces and their legal bases. It seems that hackers are already one step ahead in protecting themselves even before laws against hacking are instituted by governments.
    • Last but not least, I found that defeating Secure Sockets Layer (SSL) technology and stealing certificates seemed a very easy task for hackers, in fact, it is already an automated task in stealing credit card numbers and identities.

    Attacking datacenters was suggested as a new topic for next year’s DefCon. Datacenters can be attacked or exploited either physically (through lock picking) or digitally (hacking Hadoop, one of the most used database systems). I did not hear anything about distributed denial of service (DDOS) attacks on datacenters as this would only probably make sense in cases of blackmailing their customers.

    The fact that there was no secure OS was again reiterated. This was proven by the presentation on “Runtime Kernel Patching on Mac OS X,” from which I gathered:

    Runtime kernel patching has been around for almost 10 years and is a technique frequently used by various rootkits to subvert the kernels used in many modern OSs.

    This technique does not require any type of kernel modules or extensions and will allow you to hide various things like processes, files, folders, and network connections by modifying the kernel’s memory directly. It will also allow you to place various backdoors in the kernel for privilege escalation.

    DefCon originated in 1993. It was a meant to be a party for the members of “Platinum Net,” a Fido protocol-based hacking network out of Canada. At present, it has become one of the oldest-running and largest hacker conventions around. This year’s DefCon was held at the Riviera Hotel and Casino in Las Vegas from 30 July–02 August.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice