2011 was a banner year for the Android operating system – as well as for Android malware. The increasing number of Android users made it profitable for attackers to go after them in full force, as we’ve been saying all year long.

Where are the threats coming from?

Many of these threats arrive via third-party app stores, particularly in China (where access to the Android Market can be irregular at times). While the app stores are not necessarily malicious, they simply do not have the resources to adequately curate submissions. As a result, malicious, repackaged, and pirated applications are frequently found in these independent app stores.

What kinds of threats are we seeing?

What kinds of threats did we see in the mobile arena? Some of them have been seen previously for older OSes, such as premium service abusers that sign users up for paid services they didn’t subscribe to. In fact, these premium service abusers were the biggest threat in 2011, with these malicious apps reaching not just third-party stores, but the Android Market as well (as in the case of RuFraud, DroidDream and DroidDreamLight).

This threat type is popular because it offers cybercriminals a direct path to profit. However, we are also seeing more sophisticated threats emerge. Some of these kinds of threats have long been seen in the desktop platform. As mobile threats grow in sophistication, it should not be a surprise that tactics are being recycled, as it were.

Information theft has long been a problem on desktops, but now it is affecting mobile platforms as well. The well-documented DroidDreamLight family is a good case in point: earlier versions restricted themselves to stealing information related to the device; newer variants now steal such personal information such as text messages and call logs. For an attacker more interested in stealing corporate secrets rather than money, such information could be priceless.

However, if attackers are interested in stealing financial information, that threat also grew in 2011. While the first cases of ZITMO – mobile malware that works with ZeuS to defeat two-factor authentication systems on mobile phones – were seen in 2010, in 2011 we encountered ZITMO Android variants . This highlights how cybercriminals are now attempting to defeat even two-factor authentication schemes.

Read the rest of this entry »

The Android Market was once again infiltrated by malware, as a handful of premium service abusers (which we detect as ANDROIDOS_RUFRAUD.A) posed as legitimate apps were uploaded to the site. A few users were able to install the malicious apps before Google took them down– a fast reaction due to the quick responses from vigilant users and security firms.

Although the malicious apps are now off the Android Market, we must all be consistently on guard for malicious apps that may be able to find their way there in the future. Especially with Android offering their 10-cent sale to celebrate their 10 billion downloads, users are more likely to install offered apps to take advantage of the apps’ low cost.

To help users keep their Android device malware-free as they load them with more cool apps, in this post we will point out some key items to keep in mind before installing apps:

Be familiar with the developer/s behind popular apps

Cybercriminals regularly leverage certain apps’ popularity and attempt to do so by imitating the popular apps. But since they can not pose as the original developers, the developer’s name can be a good indicator for legitimacy. For example, the real Android Market page for the game Angry Birds shows that it was developed by Rovio Mobile, while the malicious one was developed by a user named Logastrod:

Users can also check the developer’s profile for other apps. Google also offers developer ratings, as well as the status “Editor’s Choice” that can further validate the developer’s legitimacy.

Read the rest of this entry »

For the past week or so, the Internet has been buzzing over Carrier IQ – an application that is apparently preinstalled in devices to monitor network and handset performance – and the privacy issues surrounding it.

There are several issues surrounding the reports about Carrier IQ, issues around the kind of information it gathers, the fact that it comes preinstalled in certain devices without asking for user consent, and about what users can do about it.

According to reports, Carrier IQ logs information such as sent or received text messages, Internet searches made, and phone numbers typed into devices. This routine was confirmed through the video posted by Trevor Eckhart, the researcher who initially raised the flag on Carrier IQ.

All Part of the Service

Let us consider the purpose of Carrier IQ: it is an application designed to monitor the performance of the network and the handset. The performance of the carrier can be measured by checking if the services they offer are served properly, services such as text messaging, calls, Internet connection, and others.

Based on this, we can say that collecting information related to the usage of the aforementioned phone features makes a whole lot of sense, or is even a necessity for carriers to effectively monitor and troubleshoot the services they offer.

Read the rest of this entry »

A new threat wants to subscribe your device to premium services.

A few months back, we reported about an Android malware targeting China Mobile subscribers by abusing premium services, and more recently, one that monitors for certain keywords in text messages. What’s the connection between these two? Well, we were able to analyze an Android malware sample that does both of the previously mentioned routines.

Detected as ANDROIDOS_AUTOSUBSMS.A, this sample was found in Trojanized versions of certain applications, which are still currently available for download in certain Chinese third-party app stores.

It installs the receiver called util.Smsreceiver, which executes every time an infected device receives a message. It also asks for certain permissions that the receiver requires to work. These permissions are not included in the app’s original version.

Read the rest of this entry »